gozi_ifsb | 508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

General

Target

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe
Size

351KB
MD5

257314a13ce06122c3b7020c3e7d8724
SHA1

d8a8df5a073049cf9b7a78bb16fc4437accf11e5
SHA256

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409
SHA512

b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Appxtdll.exe

pid process

3824 Appxtdll.exe

pid	process
3824	Appxtdll.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BWCotons = "C:\\Users\\Admin\\AppData\\Roaming\\ActiApis\\Appxtdll.exe"	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4636 3824 WerFault.exe Appxtdll.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Appxtdll.exe

pid process

3824 Appxtdll.exe
3824 Appxtdll.exe

pid	pid_target	process	target process
4636	3824	WerFault.exe	Appxtdll.exe

pid	process
3824	Appxtdll.exe
3824	Appxtdll.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.execmd.execmd.exeAppxtdll.exe

description	pid	process	target process
PID 1320 wrote to memory of 4420	1320	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe	cmd.exe
PID 1320 wrote to memory of 4420	1320	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe	cmd.exe
PID 1320 wrote to memory of 4420	1320	508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe	cmd.exe
PID 4420 wrote to memory of 3556	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 3556	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 3556	4420	cmd.exe	cmd.exe
PID 3556 wrote to memory of 3824	3556	cmd.exe	Appxtdll.exe
PID 3556 wrote to memory of 3824	3556	cmd.exe	Appxtdll.exe
PID 3556 wrote to memory of 3824	3556	cmd.exe	Appxtdll.exe
PID 3824 wrote to memory of 4568	3824	Appxtdll.exe	svchost.exe
PID 3824 wrote to memory of 4568	3824	Appxtdll.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe
"C:\Users\Admin\AppData\Local\Temp\508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10DC\886E.bat" "C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe
"C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 560
5⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3824 -ip 3824
1⤵
PID:4508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10DC\886E.bat
Filesize
112B

MD5
6ef94417974ebe650c7ae3c27895531a

SHA1
851ca765c8d2e45884e7072b6671949c54dc98c4

SHA256
b03480f95891effa5441251bee8008fac20fda971f2798b9467a976b012df7d3

SHA512
42fa655dd6d5befc7881fd23f338462e06df03adc5f9dc9394de7c2e418a8ed5368facc346ca6d7aed6ca128c49ef131a8f6f2d48be1267ea1147739484a34c6

Download Submit
C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe
Filesize
351KB

MD5
257314a13ce06122c3b7020c3e7d8724

SHA1
d8a8df5a073049cf9b7a78bb16fc4437accf11e5

SHA256
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

SHA512
b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Download Submit
C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe
Filesize
351KB

MD5
257314a13ce06122c3b7020c3e7d8724

SHA1
d8a8df5a073049cf9b7a78bb16fc4437accf11e5

SHA256
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409

SHA512
b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8

Download Submit
memory/1320-130-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1320-132-0x00000000021C0000-0x00000000021F0000-memory.dmp

Filesize
192KB

Download
memory/3556-135-0x0000000000000000-mapping.dmp

Download
memory/3824-136-0x0000000000000000-mapping.dmp

Download
memory/3824-139-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3824-141-0x0000000002090000-0x00000000020C0000-memory.dmp

Filesize
192KB

Download
memory/4420-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads