gozi_ifsb | 7943875b4482c8893854ef9b127b995270fe365be81d0db978b3937811c68bd1

General

Target

7943875b4482c8893854ef9b127b995270fe365be81d0db978b3937811c68bd1.exe
Size

298KB
MD5

ac9c437a379f66b5a5a054f8fa2f879a
SHA1

53cfe57f0e419e62b78cf058f955903c7b34d45c
SHA256

7943875b4482c8893854ef9b127b995270fe365be81d0db978b3937811c68bd1
SHA512

465af8ccba10b71c847291806015e12e30cbd96e528b615d89e8f9472e8d14320287c2a32eccb2f7abf3c06a31d0edc4eed1ad047834c43fb0b3b0bc3bcf1cdf

Score

10^/10

gozi_ifsb 2000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2000

C2

has.votaritar.at/webstore

Attributes

build
217099
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
dns_servers
8.8.8.8
195.10.195.195
8.8.4.4
95.216.174.175
193.30.123.44
94.247.43.254
exe_type
loader
server_id
550

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	95.216.174.175
Destination IP	94.247.43.254
Destination IP	193.30.123.44
Destination IP	193.30.123.44
Destination IP	195.10.195.195
Destination IP	95.216.174.175
Destination IP	195.10.195.195

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba542700000000020000000000106600000001000020000000b453ab98b62c50eb2bdf9aa9670cf71d30eb50cdd5a77f12b3efce1d36bc7338000000000e8000000002000020000000c92164cf468a3e3b72d3638fa1a965e0ab95e1de8e869e9c24a807bff405121a2000000079717edc0dbb66c141e1a6c32f3c942830a293fb2f5508c3a8cff325a8f8d6af4000000073e2b026420dec3f9a7741084d87ba175106badbad49bbd026dbfedb7ee55e4831b3d28c91a3e6cd5096bdc10281fa536340fa126342a475b7142320b7633d6f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30446c27f1a4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{35CE3DD0-10E4-11ED-B6A1-C6D00B19C561} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba54270000000002000000000010660000000100002000000074693a1ddeba6b5e9c0fef7d5391ef01037c8af2c6e779c3d7d835c943ef00b4000000000e80000000020000200000003e69db192592f72ba615aeb796f76dfe1ccf3abdc10a6b6e9911d6d025d7e97d90000000e6e627360ea15d6e2ad535c392ef8b403aea0a32726cde20e52e36e905cece0e7aaf8525b1f3f7263e084535ce9e8cce87a7681f83ed3f450ef99dd93180d0d330164ef1ffb68f2e9c2f8cf37bc8653a81c7c7d3f5497dd1a9344c0ba84066a529a0ebaf75d6c3edccd69f18ffd5c0ca582c97a1f95f86566b9ccb6f6a30a64849146a2372d97332592c6db7adfcae724000000019330f96c774c54ccb53303c1a1414463ebe9ad29a2e8e9e0db880d1e7cf047fc94553d19e79626657bbb5aff99e17d08a8b53e05ca98c669cb0335ae7c9199b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

308 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

308 iexplore.exe
308 iexplore.exe
1500 IEXPLORE.EXE
1500 IEXPLORE.EXE

pid	process
308	iexplore.exe

pid	process
308	iexplore.exe
308	iexplore.exe
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 308 wrote to memory of 1500	308	iexplore.exe	IEXPLORE.EXE
PID 308 wrote to memory of 1500	308	iexplore.exe	IEXPLORE.EXE
PID 308 wrote to memory of 1500	308	iexplore.exe	IEXPLORE.EXE
PID 308 wrote to memory of 1500	308	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\7943875b4482c8893854ef9b127b995270fe365be81d0db978b3937811c68bd1.exe
"C:\Users\Admin\AppData\Local\Temp\7943875b4482c8893854ef9b127b995270fe365be81d0db978b3937811c68bd1.exe"
1⤵
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:308 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-54-0x00000000008D1000-0x00000000008DB000-memory.dmp

Filesize
40KB

Download
memory/2020-55-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2020-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2020-57-0x0000000000370000-0x000000000037F000-memory.dmp

Filesize
60KB

Download
memory/2020-63-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2020-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads