gozi_ifsb | 508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

General

Target

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe
Size

351KB
MD5

257314a13ce06122c3b7020c3e7d8724
SHA1

d8a8df5a073049cf9b7a78bb16fc4437accf11e5
SHA256

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409
SHA512

b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

AuxilAPI.exe

pid process

1656 AuxilAPI.exe
Deletes itself 1 IoCs

Processes:

AuxilAPI.exe

pid process

1656 AuxilAPI.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe
1760 cmd.exe

pid	process
1656	AuxilAPI.exe

pid	process
1656	AuxilAPI.exe

pid	process
1760	cmd.exe
1760	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\d3d8wave = "C:\\Users\\Admin\\AppData\\Roaming\\compOMEX\\AuxilAPI.exe"	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

AuxilAPI.exesvchost.exe

description	pid	process	target process
PID 1656 set thread context of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1884 set thread context of 1296	1884	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AuxilAPI.exeExplorer.EXE

pid process

1656 AuxilAPI.exe
1296 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AuxilAPI.exesvchost.exe

pid process

1656 AuxilAPI.exe
1884 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE

pid	process
1656	AuxilAPI.exe
1296	Explorer.EXE

pid	process
1656	AuxilAPI.exe
1884	svchost.exe

pid	process
1296	Explorer.EXE
1296	Explorer.EXE

pid	process
1296	Explorer.EXE
1296	Explorer.EXE

pid	process
1296	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.execmd.execmd.exeAuxilAPI.exesvchost.exe

description	pid	process	target process
PID 1104 wrote to memory of 1716	1104	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe	cmd.exe
PID 1104 wrote to memory of 1716	1104	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe	cmd.exe
PID 1104 wrote to memory of 1716	1104	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe	cmd.exe
PID 1104 wrote to memory of 1716	1104	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe	cmd.exe
PID 1716 wrote to memory of 1760	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1760	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1760	1716	cmd.exe	cmd.exe
PID 1716 wrote to memory of 1760	1716	cmd.exe	cmd.exe
PID 1760 wrote to memory of 1656	1760	cmd.exe	AuxilAPI.exe
PID 1760 wrote to memory of 1656	1760	cmd.exe	AuxilAPI.exe
PID 1760 wrote to memory of 1656	1760	cmd.exe	AuxilAPI.exe
PID 1760 wrote to memory of 1656	1760	cmd.exe	AuxilAPI.exe
PID 1656 wrote to memory of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1656 wrote to memory of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1656 wrote to memory of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1656 wrote to memory of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1656 wrote to memory of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1656 wrote to memory of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1656 wrote to memory of 1884	1656	AuxilAPI.exe	svchost.exe
PID 1884 wrote to memory of 1296	1884	svchost.exe	Explorer.EXE
PID 1884 wrote to memory of 1296	1884	svchost.exe	Explorer.EXE
PID 1884 wrote to memory of 1296	1884	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Users\Admin\AppData\Local\Temp\508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe
"C:\Users\Admin\AppData\Local\Temp\508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\44A2\2251.bat" "C:\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe
"C:\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44A2\2251.bat
Filesize
108B

MD5
57b580bae0ff1e0ff5b75cf68b5224d4

SHA1
30d41ac5d6a98e896e163980473909748a1f9c60

SHA256
b40a0706bfd36fb3a726d181f2f6ca96e0e5b2ba3f361aa9e54520c6f7422b0c

SHA512
a3a8ae3a0dc51b5825190690eaccbd774f64405dd7b4ff1bb38922a39b43557b8f189d37aba7ea241c32846db395943b43c3c41abb5137a6ddb23e3936398265

Download Submit
C:\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe
Filesize
351KB

MD5
257314a13ce06122c3b7020c3e7d8724

SHA1
d8a8df5a073049cf9b7a78bb16fc4437accf11e5

SHA256
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

SHA512
b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Download Submit
C:\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe
Filesize
351KB

MD5
257314a13ce06122c3b7020c3e7d8724

SHA1
d8a8df5a073049cf9b7a78bb16fc4437accf11e5

SHA256
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

SHA512
b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Download Submit
\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe
Filesize
351KB

MD5
257314a13ce06122c3b7020c3e7d8724

SHA1
d8a8df5a073049cf9b7a78bb16fc4437accf11e5

SHA256
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

SHA512
b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Download Submit
\Users\Admin\AppData\Roaming\compOMEX\AuxilAPI.exe
Filesize
351KB

MD5
257314a13ce06122c3b7020c3e7d8724

SHA1
d8a8df5a073049cf9b7a78bb16fc4437accf11e5

SHA256
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

SHA512
b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Download Submit
memory/1104-55-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1104-57-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/1104-54-0x0000000076901000-0x0000000076903000-memory.dmp

Filesize
8KB

Download
memory/1296-74-0x0000000002910000-0x0000000002985000-memory.dmp

Filesize
468KB

Download
memory/1296-73-0x0000000002910000-0x0000000002985000-memory.dmp

Filesize
468KB

Download
memory/1656-67-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1656-69-0x0000000000240000-0x0000000000270000-memory.dmp

Filesize
192KB

Download
memory/1656-64-0x0000000000000000-mapping.dmp

Download
memory/1716-58-0x0000000000000000-mapping.dmp

Download
memory/1760-60-0x0000000000000000-mapping.dmp

Download
memory/1884-70-0x0000000000000000-mapping.dmp

Download
memory/1884-71-0x00000000002C0000-0x0000000000335000-memory.dmp

Filesize
468KB

Download
memory/1884-72-0x00000000002C0000-0x0000000000335000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads