gozi_ifsb | 838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2

General

Target

838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe
Size

81KB
MD5

648f447ef46ad487b37527f469df0010
SHA1

65bc52c369003382def306c4556e38200f3c7b38
SHA256

838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2
SHA512

5d0405455767f8ba932800465050cb7f670ded3b604694ea3ab3a0b6380064ad3bb4e1a1ef96f7771520524c5d410843fd94d03972f57c99b060781ef827bb70
SSDEEP

1536:OBSXEetLkkvlOt86NnJsmxqpELT4qg8gwwpqvtd:OBSXEeFftOFNJTxqi+8gwjn

Score

10^/10

gozi_ifsb njrat hacked by zr_exe banker evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed By Zr_Exe

C2

skorepyo1.no-ip.org:1177

Mutex

b7c77f48dde2ad69a039c2aceab2d240

Attributes

reg_key
b7c77f48dde2ad69a039c2aceab2d240
splitter
|'|'|

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Tempserver.exewindows.exe

pid process

1476 Tempserver.exe
836 windows.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1380 netsh.exe

pid	process
1476	Tempserver.exe
836	windows.exe

pid	process
1380	netsh.exe

Drops startup file 2 IoCs

Processes:

windows.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7c77f48dde2ad69a039c2aceab2d240.exe	windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7c77f48dde2ad69a039c2aceab2d240.exe	windows.exe

Loads dropped DLL 1 IoCs

Processes:

838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe

pid process

1632 838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe

pid	process
1632	838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b7c77f48dde2ad69a039c2aceab2d240 = "\"C:\\Windows\\windows.exe\" .."	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\b7c77f48dde2ad69a039c2aceab2d240 = "\"C:\\Windows\\windows.exe\" .."	windows.exe

Drops file in Windows directory 2 IoCs

Processes:

Tempserver.exe

description ioc process

File created C:\Windows\windows.exe Tempserver.exe
File opened for modification C:\Windows\windows.exe Tempserver.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\windows.exe	Tempserver.exe
File opened for modification	C:\Windows\windows.exe	Tempserver.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

windows.exe

pid	process
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe
836	windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

windows.exe

description pid process

Token: SeDebugPrivilege 836 windows.exe

description	pid	process
Token: SeDebugPrivilege	836	windows.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exeTempserver.exewindows.exe

description	pid	process	target process
PID 1632 wrote to memory of 1476	1632	838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe	Tempserver.exe
PID 1632 wrote to memory of 1476	1632	838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe	Tempserver.exe
PID 1632 wrote to memory of 1476	1632	838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe	Tempserver.exe
PID 1632 wrote to memory of 1476	1632	838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe	Tempserver.exe
PID 1476 wrote to memory of 836	1476	Tempserver.exe	windows.exe
PID 1476 wrote to memory of 836	1476	Tempserver.exe	windows.exe
PID 1476 wrote to memory of 836	1476	Tempserver.exe	windows.exe
PID 1476 wrote to memory of 836	1476	Tempserver.exe	windows.exe
PID 836 wrote to memory of 1380	836	windows.exe	netsh.exe
PID 836 wrote to memory of 1380	836	windows.exe	netsh.exe
PID 836 wrote to memory of 1380	836	windows.exe	netsh.exe
PID 836 wrote to memory of 1380	836	windows.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe
"C:\Users\Admin\AppData\Local\Temp\838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Tempserver.exe
  "C:\Users\Admin\AppData\Local\Tempserver.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\windows.exe
    "C:\Windows\windows.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\windows.exe" "windows.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempserver.exe

Filesize
29KB

MD5
2e0b0ffe2973d55a50f91cee6e27291b

SHA1
a2440be9db80afece2432bf6201571872d785b70

SHA256
e6a03bd7f5064f2df3f40ebebaf03fc6f4fba36976fa8d1f9cb61114d2f98553

SHA512
ed8416a13fffd7cc148ffd1d67311afded15330f1b35d5bd6fe072b3ceb2993a038213fdbfd9e26584d1cb3a7ea5cbc36ae2487ae22d9c701fc264a452349aa1

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe

Filesize
29KB

MD5
2e0b0ffe2973d55a50f91cee6e27291b

SHA1
a2440be9db80afece2432bf6201571872d785b70

SHA256
e6a03bd7f5064f2df3f40ebebaf03fc6f4fba36976fa8d1f9cb61114d2f98553

SHA512
ed8416a13fffd7cc148ffd1d67311afded15330f1b35d5bd6fe072b3ceb2993a038213fdbfd9e26584d1cb3a7ea5cbc36ae2487ae22d9c701fc264a452349aa1

Download Submit
C:\Windows\windows.exe

Filesize
29KB

MD5
2e0b0ffe2973d55a50f91cee6e27291b

SHA1
a2440be9db80afece2432bf6201571872d785b70

SHA256
e6a03bd7f5064f2df3f40ebebaf03fc6f4fba36976fa8d1f9cb61114d2f98553

SHA512
ed8416a13fffd7cc148ffd1d67311afded15330f1b35d5bd6fe072b3ceb2993a038213fdbfd9e26584d1cb3a7ea5cbc36ae2487ae22d9c701fc264a452349aa1

Download Submit
C:\Windows\windows.exe

Filesize
29KB

MD5
2e0b0ffe2973d55a50f91cee6e27291b

SHA1
a2440be9db80afece2432bf6201571872d785b70

SHA256
e6a03bd7f5064f2df3f40ebebaf03fc6f4fba36976fa8d1f9cb61114d2f98553

SHA512
ed8416a13fffd7cc148ffd1d67311afded15330f1b35d5bd6fe072b3ceb2993a038213fdbfd9e26584d1cb3a7ea5cbc36ae2487ae22d9c701fc264a452349aa1

Download Submit
\Users\Admin\AppData\Local\Tempserver.exe

Filesize
29KB

MD5
2e0b0ffe2973d55a50f91cee6e27291b

SHA1
a2440be9db80afece2432bf6201571872d785b70

SHA256
e6a03bd7f5064f2df3f40ebebaf03fc6f4fba36976fa8d1f9cb61114d2f98553

SHA512
ed8416a13fffd7cc148ffd1d67311afded15330f1b35d5bd6fe072b3ceb2993a038213fdbfd9e26584d1cb3a7ea5cbc36ae2487ae22d9c701fc264a452349aa1

Download Submit
memory/836-62-0x0000000000000000-mapping.dmp

Download
memory/836-67-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/836-70-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-68-0x0000000000000000-mapping.dmp

Download
memory/1476-58-0x0000000000000000-mapping.dmp

Download
memory/1476-66-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-56-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1632-55-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1632-54-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads