gozi_ifsb | 198a4e6953c2fab088c40f305d9a659bafc2caa00ee310c668172773e10054f6

Analysis

max time kernel
507s
max time network
509s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

powershell_bad.ps1
Size

753KB
MD5

b6cb1b34533ec12131414aa43ad25820
SHA1

e9d36f5e85301a067427db5e33522997c578a164
SHA256

198a4e6953c2fab088c40f305d9a659bafc2caa00ee310c668172773e10054f6
SHA512

35b6fa02bed293267e36d62cd751204a35d111a3e0b18ae991363a69dee729af31278c311798a0f9476a82d1069f2ae37497036c1b1e06be13fbc365ea53491b
SSDEEP

1536:Vwwq2KKIkb1O7RSanp5cuaZRiLccsunDiJhRs7HI1xXYWLOx+4G+gW7+wjrNEaDa:VF

Score

10^/10

gozi_ifsb 10101 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10101

trackingg-protectioon.cdn1.mozilla.net

45.8.158.104

188.127.224.114

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

iujdhsndjfks.com

Attributes

base_path
/uploaded/
exe_type
worker
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
916	powershell.exe
916	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	916	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.execsc.execsc.exe

description	pid	Process	procid_target
PID 916 wrote to memory of 632	916	powershell.exe	80
PID 916 wrote to memory of 632	916	powershell.exe	80
PID 632 wrote to memory of 564	632	csc.exe	81
PID 632 wrote to memory of 564	632	csc.exe	81
PID 916 wrote to memory of 4352	916	powershell.exe	82
PID 916 wrote to memory of 4352	916	powershell.exe	82
PID 4352 wrote to memory of 1884	4352	csc.exe	83
PID 4352 wrote to memory of 1884	4352	csc.exe	83

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\powershell_bad.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vgtbnoec\vgtbnoec.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CE5.tmp" "c:\Users\Admin\AppData\Local\Temp\vgtbnoec\CSC9CC379BF1DAC4D749191342B6F258F13.TMP"
    3⤵
    PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xhdwqhl2\xhdwqhl2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E1E.tmp" "c:\Users\Admin\AppData\Local\Temp\xhdwqhl2\CSC7B3A248EE9F545EB871AABBE779AD334.TMP"
    3⤵
    PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7CE5.tmp

Filesize
1KB

MD5
840b303f3309d5e7240a0ce20cc1f945

SHA1
0508801168822606a06033237c905bfcb858cbb6

SHA256
1054b98049a3894f0c5f9f6ddae310d1772cae97088888f8685152030d82c7d4

SHA512
875d6c0ec15ed79aee24ca68d0ef7ac97b39cdce493abbc2b75111bfbe85b602b75b10a55d94d0e1effeae57a6e1d2b91b005e8413c40e7ee393a1637f7cbd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E1E.tmp

Filesize
1KB

MD5
c6097b1b0e965e8f72fa5dbbd40bc7fa

SHA1
4b8f2963b00303634b83070cff9ecaff39aab57c

SHA256
b6dc9b7d0c595b3812fb5c27366e824310d86470fbe1abc7621a5151c965ab98

SHA512
fd37d29fd2efc8c10b43d81ddc2572c228867812e5638053cf53440c7a104b3dbcc59c5a6f92517da0c34ce14e79c1d8c1a651195128ad2373bf78d5e8bb798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgtbnoec\vgtbnoec.dll

Filesize
3KB

MD5
01ecfdce70c3483d2b9514f2ecd78f05

SHA1
d8e4891bf5cfa0896be9276078eb004c43a4bc27

SHA256
f52d425f13faf1f65673b07e797498eb3a25d1f2a478ecbc97437eb8c23f70f9

SHA512
52b10c960120fce0dbba7d9aba252c17eef5cd4cc0c99f136d77c943d5742117d610ef09e6d1b8887b968980cf493366230b9f2e8bca81a3ca3eb452b927788e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhdwqhl2\xhdwqhl2.dll

Filesize
3KB

MD5
15746271b54a5686c07a9b7b467654a6

SHA1
9822c6c14c5b41b4e5bbb61903d3c075f8852950

SHA256
17e501c75e2d7d42db626f5b36563b82adb565ec805d2f2fe72ed59909784ace

SHA512
26297760ece0043b3d563b4f02ff6dcd6b4e8b571ebd146f461e1e6b9bcc28ed0c48d2f16cd6efb3a005503327309ac8b51a75957e098b5ba41c9f2d15ccbd74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vgtbnoec\CSC9CC379BF1DAC4D749191342B6F258F13.TMP

Filesize
652B

MD5
44e9c63acb1cd67ef1a11ae86b9dfa7a

SHA1
b8c6ff437a5cd462ef3b1534f45b29cb03ed7350

SHA256
0681ad9bb5deb386575fcc8a3a5d03677a1daea89439077d965476455c0a1042

SHA512
250eb639dc3f11e00dd07cc5e019613400ed5266827befa8c1204383f77db39320d97e4c3f19237037bffad9d9042bf7e3872e1c90b5cf57869befa61fdbf5b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vgtbnoec\vgtbnoec.0.cs

Filesize
418B

MD5
19fd6f555ad7c58d574c00f46f087b02

SHA1
025ec4778721f20fdbff775edd2351baea93846c

SHA256
9d08df39ad05bd4a53f416ab8ef6a2fca313eb9a1498e451284b445bb1830dac

SHA512
188488549588e593523ddab3a8372d47e016841c3ce1594a456c0ac7c73763a3ae1e8a5fffdc7b6455bd869d0f6bdebd6b6bcb2aa6a6b4cf658231ce72dc40b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vgtbnoec\vgtbnoec.cmdline

Filesize
369B

MD5
231ba1a31245f394a118902e8a0bedd0

SHA1
4b1b17558e08673bbf9ee0a39d1a54c42a22fd2a

SHA256
2cc99d0ac55447863bedf21d02eeba34f928c05af0984b261af60fd231d09831

SHA512
263d7f9b0457ce50215a74ec490f28deafaf2fb9527bffe2a30c5ebad39e3b2eaaa673b4926764390ec57543ff17db69c5c38c9df0385809faa323e3f51cac09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhdwqhl2\CSC7B3A248EE9F545EB871AABBE779AD334.TMP

Filesize
652B

MD5
98e2c5430f5635b4737a53a0782e4580

SHA1
e17f1f34cb3656d0a3a1bb4398f3a9a31c278283

SHA256
27b194a1688ebd60edcffa7045b9cc4e57ae7e80bf9089009411f88ef86b6563

SHA512
b34fbd083106e3a79a21fab416c740ed7f47a1eef2f985b365c9618e7730f6448a29c38c673bc34d462516c16bbac773a2819b766a3d59a451091740113edd9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhdwqhl2\xhdwqhl2.0.cs

Filesize
400B

MD5
f31a91cb873d422f30e84bfc6f0e4919

SHA1
87946e5b050bc8c66c9f04ebb9f82e210522d8ee

SHA256
91af8fc99b650c87f7c49faa1e0499f673e034ed712eb62782cfacbdf8329f84

SHA512
242e12d8c01ef5bf6866fc09bd8a4ab9fb6c7ea1ac4bead56610db30f15f0c7b38d7da8706ab4bb8ad5647d5b2ccfb9717b85324ca0099c6dcdd7fde13e5906b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhdwqhl2\xhdwqhl2.cmdline

Filesize
369B

MD5
d95d9befc8196ef12abf6b9fa3a9e37b

SHA1
cbf8274a9ab88605c548e82386580074ea921842

SHA256
4766c97a4efa4931e8322853f322fc48382252ad8e54ab32420cf5e3ef95717d

SHA512
c8be50eabf5992ea733de22a494c30c3a2714af70a1aaf629ca0af3e3c4efed35b2e1643a4ddc07aa636dbc07aad3d32e528bf631bc00050a311c3c9725a036a

Download Submit
memory/564-137-0x0000000000000000-mapping.dmp

Download
memory/632-134-0x0000000000000000-mapping.dmp

Download
memory/916-132-0x000001F3EE480000-0x000001F3EE4A2000-memory.dmp

Filesize
136KB

Download
memory/916-133-0x00007FFC18140000-0x00007FFC18C01000-memory.dmp

Filesize
10.8MB

Download
memory/916-148-0x00007FFC18140000-0x00007FFC18C01000-memory.dmp

Filesize
10.8MB

Download
memory/916-149-0x000001F3F1000000-0x000001F3F103D000-memory.dmp

Filesize
244KB

Download
memory/1884-144-0x0000000000000000-mapping.dmp

Download
memory/4352-141-0x0000000000000000-mapping.dmp

Download