gozi_ifsb | 198a4e6953c2fab088c40f305d9a659bafc2caa00ee310c668172773e10054f6

Analysis

max time kernel
413s
max time network
416s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

powershell_bad.ps1
Size

753KB
MD5

b6cb1b34533ec12131414aa43ad25820
SHA1

e9d36f5e85301a067427db5e33522997c578a164
SHA256

198a4e6953c2fab088c40f305d9a659bafc2caa00ee310c668172773e10054f6
SHA512

35b6fa02bed293267e36d62cd751204a35d111a3e0b18ae991363a69dee729af31278c311798a0f9476a82d1069f2ae37497036c1b1e06be13fbc365ea53491b
SSDEEP

1536:Vwwq2KKIkb1O7RSanp5cuaZRiLccsunDiJhRs7HI1xXYWLOx+4G+gW7+wjrNEaDa:VF

Score

10^/10

gozi_ifsb 10101 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10101

trackingg-protectioon.cdn1.mozilla.net

45.8.158.104

188.127.224.114

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

iujdhsndjfks.com

Attributes

base_path
/uploaded/
exe_type
worker
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
1044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1044	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.execsc.execsc.exe

description	pid	Process	procid_target
PID 1044 wrote to memory of 1840	1044	powershell.exe	28
PID 1044 wrote to memory of 1840	1044	powershell.exe	28
PID 1044 wrote to memory of 1840	1044	powershell.exe	28
PID 1840 wrote to memory of 1128	1840	csc.exe	29
PID 1840 wrote to memory of 1128	1840	csc.exe	29
PID 1840 wrote to memory of 1128	1840	csc.exe	29
PID 1044 wrote to memory of 2036	1044	powershell.exe	30
PID 1044 wrote to memory of 2036	1044	powershell.exe	30
PID 1044 wrote to memory of 2036	1044	powershell.exe	30
PID 2036 wrote to memory of 948	2036	csc.exe	31
PID 2036 wrote to memory of 948	2036	csc.exe	31
PID 2036 wrote to memory of 948	2036	csc.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\powershell_bad.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipqq_ywa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES781.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC780.tmp"
    3⤵
    PID:1128
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udjp5hiw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp"
    3⤵
    PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES781.tmp

Filesize
1KB

MD5
612b86d87192aafbeb7abb624a657729

SHA1
d1e7cad48478dede933542a58739695a853f8f32

SHA256
3ec3a8cc23b6da20dac83f3562a05ac7c346889b5df9c7be3beae0a7a6d38c30

SHA512
1b87107f4656234470da5c3d694f728fbd698eefddeb74e420619713de9bf7edbf138bbc4822eb73a65538756016e9e36b80a75d27d1780237ac5ab61be135e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81D.tmp

Filesize
1KB

MD5
d144f48140aa116c7bf7438af0200a9c

SHA1
945c30eba8afe78cb5b6467acb428d55567d1c15

SHA256
bba71c8ebd0eda67508b2f55baecde34b965c2b4835c8c1c8d44bc38c948eeba

SHA512
1fc3436197a2e7d1e52fa96a77414dc4f08fbfc0dcec31fc904dbf257fc290cf7dbe63e322114f16f5e4539753e853a568e29f6f64180428ee79a21ba78da6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipqq_ywa.dll

Filesize
3KB

MD5
6c32025006d0c0d168428c668f703a8d

SHA1
91bbf0f6fe653f6b9ecc04a998830999537637de

SHA256
2dbbba0877469c54efcfaecd179e73e12300cc61fb733f4c2d7a1bf53499f4d3

SHA512
dd2bc1701b46b9c63f6c56098e2f6d8ea92aec194635efd7873b14b55934d879dda008b78f14ef53bd18ac4368c333dc7528f77ca2cd312ab832789a76fb6252

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipqq_ywa.pdb

Filesize
7KB

MD5
942f59ae64495cd4209f91801cd1df5e

SHA1
8484cd94b9e15e1234821d7a9d65e7d81bb19fe2

SHA256
6f33289cde7024287779b2b3a7dc83a502707231ddb546f9c8a72a148130df43

SHA512
95cc0f8c7b8e1c2d8fb7c9027c9400462b53890cc7f5029cdf2a5606bd14a4b1c315f9ff5665073497ab677debbaf14f7c9200609061347f64b55821e08e714a

Download Submit
C:\Users\Admin\AppData\Local\Temp\udjp5hiw.dll

Filesize
3KB

MD5
82942a83837c874943e6157821afe492

SHA1
1f3683ee824e48014e58e2ff00cf8be8f6d07eb1

SHA256
ff58ad43e4b8130434982b652697a0bd2df5d958d0da0b14fd69c49680c85b43

SHA512
19bad06534110ab3c5791e76bde3f1e12e61d5ce218d36b4472f0414eba3c637778c8fbb8155faa91853d41cfec706b8544f7ba1a95d9c268744999d6ddf1f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\udjp5hiw.pdb

Filesize
7KB

MD5
fec1b2aad05e664656bc104c11c78677

SHA1
c0f281b9c7a5b821e2ece59f639027e6233cfe0a

SHA256
a53020c3351618e4056e2570cffa5bbadaebbb28d62868134ac36eb60771fcc6

SHA512
a36dfc89a35a61ba741dbb38eb20df4fd63c6ef88fb9bba40e93bd298e6c129fcfa57eca3337b2f21f6f2181a92ddeff37e441e45f0f16ffb8510d81f949c65e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC780.tmp

Filesize
652B

MD5
92ca12e9b1b65af9bcc70d14c503d348

SHA1
3b7b4ba727c3b2c50acf07656d2288d5f0a4e82b

SHA256
cbffc8811491a6574aeccaa6288c48ecc9a6624a39dfa4c3db014e1a19cec1c1

SHA512
f7051a74d280ee18acf2fbc36b980d3701f1bd26d6315c081747f0f079b4024691c4a5f7e727837e73feb1c3a8140e03c127c37acc94923bad1103fa967b4a29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp

Filesize
652B

MD5
9c59fdb12c1d970df3050562920b93f3

SHA1
a9ff59d43b60bd3bdac6d8054824fd185d750273

SHA256
7029d50b11ab037b6234b790ca01491bea2421fa58fcabe0017aaf2528cf4c58

SHA512
40c9b92900f06d2867cc23e367a771017977598f5b1e8a75d4836d20c42fc4e96504624936c283c0242de7530dbef0e8761d83388b9323eaf31f1a24342b1796

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipqq_ywa.0.cs

Filesize
418B

MD5
19fd6f555ad7c58d574c00f46f087b02

SHA1
025ec4778721f20fdbff775edd2351baea93846c

SHA256
9d08df39ad05bd4a53f416ab8ef6a2fca313eb9a1498e451284b445bb1830dac

SHA512
188488549588e593523ddab3a8372d47e016841c3ce1594a456c0ac7c73763a3ae1e8a5fffdc7b6455bd869d0f6bdebd6b6bcb2aa6a6b4cf658231ce72dc40b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipqq_ywa.cmdline

Filesize
309B

MD5
5b74ad1d533a46e65b4dbfba5e3318e7

SHA1
38232590002dab098d53791ec5287903717185d9

SHA256
8f350507bd5e37deb8de174900b13dfe4e8242237c4b3c0c351dd3be67611c6b

SHA512
64c25f61ad384c5f2f01dae43a03a1ac58ee790193e537b9785446f024e9f1ade01f8031a3494ff7a6ff1ee9c9f2c99ba4e57291c7e620ecd43bed79833427e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udjp5hiw.0.cs

Filesize
400B

MD5
f31a91cb873d422f30e84bfc6f0e4919

SHA1
87946e5b050bc8c66c9f04ebb9f82e210522d8ee

SHA256
91af8fc99b650c87f7c49faa1e0499f673e034ed712eb62782cfacbdf8329f84

SHA512
242e12d8c01ef5bf6866fc09bd8a4ab9fb6c7ea1ac4bead56610db30f15f0c7b38d7da8706ab4bb8ad5647d5b2ccfb9717b85324ca0099c6dcdd7fde13e5906b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udjp5hiw.cmdline

Filesize
309B

MD5
f89cf160bf23bd2c6bfcd25010dff0ce

SHA1
e027cf1e893c741f51f3be192df5d0df66e4663a

SHA256
37c009ca9b701de19896f0ca63a597b7d7079709961da4598ec92f2370ca95d0

SHA512
1fa6faeb43eacf4bea3dde4e60f66ed8660c6a44a6bb9b622ee679bd2d81c14fa7d4c560affbfb98c3915a574b4b7b29eac65a424942bc94180d768f1040eb0b

Download Submit
memory/948-70-0x0000000000000000-mapping.dmp

Download
memory/1044-57-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1044-61-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1044-54-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1044-56-0x000007FEF2C70000-0x000007FEF37CD000-memory.dmp

Filesize
11.4MB

Download
memory/1044-55-0x000007FEF37D0000-0x000007FEF41F3000-memory.dmp

Filesize
10.1MB

Download
memory/1044-75-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1044-76-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1044-77-0x000000001B630000-0x000000001B66D000-memory.dmp

Filesize
244KB

Download
memory/1128-62-0x0000000000000000-mapping.dmp

Download
memory/1840-58-0x0000000000000000-mapping.dmp

Download
memory/2036-67-0x0000000000000000-mapping.dmp

Download