gozi_ifsb | 5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

General

Target

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe
Size

388KB
MD5

5031ce596f9f1898fe11cfa7e8858795
SHA1

ed60c8e01112ae2ae731a34703e241138bd6575d
SHA256

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d
SHA512

1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

adsngpui.exe

pid process

592 adsngpui.exe
Deletes itself 1 IoCs

Processes:

adsngpui.exe

pid process

592 adsngpui.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

972 cmd.exe
972 cmd.exe

pid	process
592	adsngpui.exe

pid	process
592	adsngpui.exe

pid	process
972	cmd.exe
972	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Devipast = "C:\\Users\\Admin\\AppData\\Roaming\\avictnet\\adsngpui.exe"	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

adsngpui.exesvchost.exe

description	pid	process	target process
PID 592 set thread context of 1308	592	adsngpui.exe	svchost.exe
PID 1308 set thread context of 1184	1308	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

adsngpui.exeExplorer.EXE

pid process

592 adsngpui.exe
1184 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

adsngpui.exesvchost.exe

pid process

592 adsngpui.exe
1308 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE

pid	process
592	adsngpui.exe
1184	Explorer.EXE

pid	process
592	adsngpui.exe
1308	svchost.exe

pid	process
1184	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.execmd.execmd.exeadsngpui.exesvchost.exe

description	pid	process	target process
PID 1980 wrote to memory of 2024	1980	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe	cmd.exe
PID 1980 wrote to memory of 2024	1980	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe	cmd.exe
PID 1980 wrote to memory of 2024	1980	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe	cmd.exe
PID 1980 wrote to memory of 2024	1980	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe	cmd.exe
PID 2024 wrote to memory of 972	2024	cmd.exe	cmd.exe
PID 2024 wrote to memory of 972	2024	cmd.exe	cmd.exe
PID 2024 wrote to memory of 972	2024	cmd.exe	cmd.exe
PID 2024 wrote to memory of 972	2024	cmd.exe	cmd.exe
PID 972 wrote to memory of 592	972	cmd.exe	adsngpui.exe
PID 972 wrote to memory of 592	972	cmd.exe	adsngpui.exe
PID 972 wrote to memory of 592	972	cmd.exe	adsngpui.exe
PID 972 wrote to memory of 592	972	cmd.exe	adsngpui.exe
PID 592 wrote to memory of 1308	592	adsngpui.exe	svchost.exe
PID 592 wrote to memory of 1308	592	adsngpui.exe	svchost.exe
PID 592 wrote to memory of 1308	592	adsngpui.exe	svchost.exe
PID 592 wrote to memory of 1308	592	adsngpui.exe	svchost.exe
PID 592 wrote to memory of 1308	592	adsngpui.exe	svchost.exe
PID 592 wrote to memory of 1308	592	adsngpui.exe	svchost.exe
PID 592 wrote to memory of 1308	592	adsngpui.exe	svchost.exe
PID 1308 wrote to memory of 1184	1308	svchost.exe	Explorer.EXE
PID 1308 wrote to memory of 1184	1308	svchost.exe	Explorer.EXE
PID 1308 wrote to memory of 1184	1308	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Users\Admin\AppData\Local\Temp\5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe
"C:\Users\Admin\AppData\Local\Temp\5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\28E8\D6.bat" "C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe
"C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28E8\D6.bat
Filesize
108B

MD5
3d9c337d2305043624a0324984a78307

SHA1
78834c56bf3edaa53114a2f043038fae766d7085

SHA256
307ecb24d02715d360a8c4ee167720d6ec199c8c6adc5bf424b3c808ece057ae

SHA512
3ccedc03c005e1898c5380006be0bd34df7c7b079c908573c174b0a0ad7874eff4149b39f6d3ebc8672bb77b83d43964989d1204019bf6f132235ecff0881c7e

Download Submit
C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe
Filesize
388KB

MD5
5031ce596f9f1898fe11cfa7e8858795

SHA1
ed60c8e01112ae2ae731a34703e241138bd6575d

SHA256
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

SHA512
1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Download Submit
C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe
Filesize
388KB

MD5
5031ce596f9f1898fe11cfa7e8858795

SHA1
ed60c8e01112ae2ae731a34703e241138bd6575d

SHA256
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

SHA512
1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Download Submit
\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe
Filesize
388KB

MD5
5031ce596f9f1898fe11cfa7e8858795

SHA1
ed60c8e01112ae2ae731a34703e241138bd6575d

SHA256
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

SHA512
1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Download Submit
\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe
Filesize
388KB

MD5
5031ce596f9f1898fe11cfa7e8858795

SHA1
ed60c8e01112ae2ae731a34703e241138bd6575d

SHA256
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

SHA512
1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Download Submit
memory/592-64-0x0000000000000000-mapping.dmp

Download
memory/592-67-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/592-69-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/972-60-0x0000000000000000-mapping.dmp

Download
memory/1184-72-0x0000000002A30000-0x0000000002AA5000-memory.dmp

Filesize
468KB

Download
memory/1184-73-0x0000000002A30000-0x0000000002AA5000-memory.dmp

Filesize
468KB

Download
memory/1308-70-0x0000000000000000-mapping.dmp

Download
memory/1308-71-0x00000000003E0000-0x0000000000455000-memory.dmp

Filesize
468KB

Download
memory/1980-57-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/1980-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/1980-55-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2024-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads