gozi_ifsb | 5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

General

Target

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe
Size

388KB
MD5

5031ce596f9f1898fe11cfa7e8858795
SHA1

ed60c8e01112ae2ae731a34703e241138bd6575d
SHA256

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d
SHA512

1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Bingutil.exe

pid process

2292 Bingutil.exe

pid	process
2292	Bingutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcGeecfc = "C:\\Users\\Admin\\AppData\\Roaming\\capahost\\Bingutil.exe"	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1532 2292 WerFault.exe Bingutil.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Bingutil.exe

pid process

2292 Bingutil.exe
2292 Bingutil.exe

pid	pid_target	process	target process
1532	2292	WerFault.exe	Bingutil.exe

pid	process
2292	Bingutil.exe
2292	Bingutil.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.execmd.execmd.exeBingutil.exe

description	pid	process	target process
PID 488 wrote to memory of 4496	488	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe	cmd.exe
PID 488 wrote to memory of 4496	488	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe	cmd.exe
PID 488 wrote to memory of 4496	488	5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe	cmd.exe
PID 4496 wrote to memory of 3328	4496	cmd.exe	cmd.exe
PID 4496 wrote to memory of 3328	4496	cmd.exe	cmd.exe
PID 4496 wrote to memory of 3328	4496	cmd.exe	cmd.exe
PID 3328 wrote to memory of 2292	3328	cmd.exe	Bingutil.exe
PID 3328 wrote to memory of 2292	3328	cmd.exe	Bingutil.exe
PID 3328 wrote to memory of 2292	3328	cmd.exe	Bingutil.exe
PID 2292 wrote to memory of 1116	2292	Bingutil.exe	svchost.exe
PID 2292 wrote to memory of 1116	2292	Bingutil.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe
"C:\Users\Admin\AppData\Local\Temp\5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BFA1\3FC1.bat" "C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe
"C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 584
5⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2292 -ip 2292
1⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFA1\3FC1.bat
Filesize
112B

MD5
f61a29ae0612754b2de446c6cc81de10

SHA1
28ae65401b60452b2842a1b8f984d48438d8e703

SHA256
1ecf31772c8539362f3b35018e85b086052938ea60c88992f1655853e37252d1

SHA512
bcc2da3a3f17e6a4267b0882475f8f5e72250a4ec59595c9b03568e4965354876b90550bb9904129cc0b0e53950d57326cc9d98445aacedb2632ba745d7f5c2c

Download Submit
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe
Filesize
388KB

MD5
5031ce596f9f1898fe11cfa7e8858795

SHA1
ed60c8e01112ae2ae731a34703e241138bd6575d

SHA256
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

SHA512
1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Download Submit
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe
Filesize
388KB

MD5
5031ce596f9f1898fe11cfa7e8858795

SHA1
ed60c8e01112ae2ae731a34703e241138bd6575d

SHA256
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d

SHA512
1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f

Download Submit
memory/488-132-0x0000000000710000-0x0000000000740000-memory.dmp

Filesize
192KB

Download
memory/488-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/488-135-0x0000000000710000-0x0000000000740000-memory.dmp

Filesize
192KB

Download
memory/2292-139-0x0000000000000000-mapping.dmp

Download
memory/2292-142-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2292-144-0x00000000007D0000-0x0000000000800000-memory.dmp

Filesize
192KB

Download
memory/3328-138-0x0000000000000000-mapping.dmp

Download
memory/4496-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads