gozi_ifsb | 4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

General

Target

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe
Size

455KB
MD5

cac2eaa37b36f498f29843590fca272e
SHA1

8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805
SHA256

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34
SHA512

7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214963

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

bidiprov.exe

pid process

1144 bidiprov.exe
Deletes itself 1 IoCs

Processes:

bidiprov.exe

pid process

1144 bidiprov.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2040 cmd.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

pid	process
1144	bidiprov.exe

pid	process
1144	bidiprov.exe

pid	process
2040	cmd.exe

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\actian32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\COLOorui\\bidiprov.exe"	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bidiprov.exesvchost.exe

description	pid	process	target process
PID 1144 set thread context of 1992	1144	bidiprov.exe	svchost.exe
PID 1992 set thread context of 1232	1992	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bidiprov.exeExplorer.EXE

pid process

1144 bidiprov.exe
1232 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bidiprov.exesvchost.exe

pid process

1144 bidiprov.exe
1992 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1144	bidiprov.exe
1232	Explorer.EXE

pid	process
1144	bidiprov.exe
1992	svchost.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.execmd.execmd.exebidiprov.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	cmd.exe
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	cmd.exe
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	cmd.exe
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	cmd.exe
PID 1128 wrote to memory of 2040	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 2040	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 2040	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 2040	1128	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1144	2040	cmd.exe	bidiprov.exe
PID 2040 wrote to memory of 1144	2040	cmd.exe	bidiprov.exe
PID 2040 wrote to memory of 1144	2040	cmd.exe	bidiprov.exe
PID 2040 wrote to memory of 1144	2040	cmd.exe	bidiprov.exe
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	svchost.exe
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	svchost.exe
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	svchost.exe
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	svchost.exe
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	svchost.exe
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	svchost.exe
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	svchost.exe
PID 1992 wrote to memory of 1232	1992	svchost.exe	Explorer.EXE
PID 1992 wrote to memory of 1232	1992	svchost.exe	Explorer.EXE
PID 1992 wrote to memory of 1232	1992	svchost.exe	Explorer.EXE
PID 1232 wrote to memory of 1492	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1492	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1492	1232	Explorer.EXE	cmd.exe
PID 1492 wrote to memory of 1508	1492	cmd.exe	nslookup.exe
PID 1492 wrote to memory of 1508	1492	cmd.exe	nslookup.exe
PID 1492 wrote to memory of 1508	1492	cmd.exe	nslookup.exe
PID 1232 wrote to memory of 1612	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1612	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1612	1232	Explorer.EXE	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe
"C:\Users\Admin\AppData\Local\Temp\4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\367C\10.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\4CDF2E~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\4CDF2E~1.EXE""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe
"C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\4CDF2E~1.EXE"
4⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\F254.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1508

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\F254.bi1"
2⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\367C\10.bat
Filesize
108B

MD5
2bdd40e06b4f3c4f8efd6e43d92ca1ac

SHA1
f19c48865f36b37f0259cb785f867353e1ced8ec

SHA256
4441394fac10909ddf844111596b5e0427e82762841e52ff353678531dbaad48

SHA512
c0e36a441ac9c6f65a74ed8ec307559c3e7c7e3d75cfe866bcd04e389c6ba5996503cb221e0530173d0b6ea9947e6b8c4ab72a83e56ad9923e8bea23a8d05618

Download Submit
C:\Users\Admin\AppData\Local\Temp\F254.bi1
Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Local\Temp\F254.bi1
Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe
Filesize
455KB

MD5
cac2eaa37b36f498f29843590fca272e

SHA1
8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805

SHA256
4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

SHA512
7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe
Filesize
455KB

MD5
cac2eaa37b36f498f29843590fca272e

SHA1
8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805

SHA256
4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

SHA512
7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe
Filesize
455KB

MD5
cac2eaa37b36f498f29843590fca272e

SHA1
8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805

SHA256
4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

SHA512
7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Download Submit
memory/1128-57-0x0000000000000000-mapping.dmp

Download
memory/1144-62-0x0000000000000000-mapping.dmp

Download
memory/1144-66-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1144-67-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1232-70-0x0000000004120000-0x00000000041B2000-memory.dmp

Filesize
584KB

Download
memory/1232-71-0x0000000004120000-0x00000000041B2000-memory.dmp

Filesize
584KB

Download
memory/1492-72-0x0000000000000000-mapping.dmp

Download
memory/1508-73-0x0000000000000000-mapping.dmp

Download
memory/1612-74-0x0000000000000000-mapping.dmp

Download
memory/1712-55-0x00000000002B0000-0x000000000030D000-memory.dmp

Filesize
372KB

Download
memory/1712-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1712-56-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download
memory/1992-69-0x0000000000460000-0x00000000004F2000-memory.dmp

Filesize
584KB

Download
memory/1992-68-0x0000000000460000-0x00000000004F2000-memory.dmp

Filesize
584KB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads