gozi_ifsb | 934d35b702d4339f22b374ff4b7ea79daaa8546b7551e3b3bd8493bd8e084515

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1479.lnk
Size

1KB
MD5

3a7fe4683c4e75860cda2f9cfe8286e7
SHA1

c61988e9a7270572d66305a1ae117ad88e321276
SHA256

95d75f9f60c28efec7ec43966a0379063aa9c7ca5351f23c77dc3e67050f559a
SHA512

b144c4ce2285f19e3ae7df886cee5a0d3c596c58e035b7f6d258aa0c4d223c9c02ea436326c791c9048519049c68c4f7e6e9bd1df10e997c4896c68f7ce1b4c0

Score

10^/10

gozi_ifsb 5000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5000

config.edge.skype.com

onlinetwork.top

linetwork.top

Attributes

base_path
/drew/
build
250246
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

36 1696 rundll32.exe
39 1696 rundll32.exe
44 1696 rundll32.exe
45 1696 rundll32.exe
46 1696 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

xxl.exe

pid process

1824 xxl.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
36	1696	rundll32.exe
39	1696	rundll32.exe
44	1696	rundll32.exe
45	1696	rundll32.exe
46	1696	rundll32.exe

pid	process
1824	xxl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.execmd.exexxl.exe

description	pid	process	target process
PID 4112 wrote to memory of 2396	4112	cmd.exe	cmd.exe
PID 4112 wrote to memory of 2396	4112	cmd.exe	cmd.exe
PID 2396 wrote to memory of 1824	2396	cmd.exe	xxl.exe
PID 2396 wrote to memory of 1824	2396	cmd.exe	xxl.exe
PID 1824 wrote to memory of 1696	1824	xxl.exe	rundll32.exe
PID 1824 wrote to memory of 1696	1824	xxl.exe	rundll32.exe
PID 1824 wrote to memory of 1696	1824	xxl.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1479.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c internee\champ.cmd dll32.exe tem dows
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\xxl.exe
    C:\Users\Admin\AppData\Local\Temp\xxl.exe internee\boutiques.3ds,DllRegisterServer
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Users\Admin\AppData\Local\Temp\xxl.exe internee\boutiques.3ds,DllRegisterServer
      4⤵
      Blocklisted process makes network request
      PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xxl.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxl.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
memory/1696-136-0x0000000000000000-mapping.dmp

Download
memory/1696-137-0x00000000025A0000-0x00000000025A5000-memory.dmp

Filesize
20KB

Download
memory/1696-138-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1696-143-0x0000000002710000-0x000000000271D000-memory.dmp

Filesize
52KB

Download
memory/1824-133-0x0000000000000000-mapping.dmp

Download
memory/2396-132-0x0000000000000000-mapping.dmp

Download