gozi_ifsb | b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692

General

Target

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe
Size

569KB
MD5

b903665c8fbd50d6bf8cdd3fb2925146
SHA1

6236fccb03ebe21b5b8d72443d4edf71384c045c
SHA256

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692
SHA512

ad0a270a857b2165513bb0f2a0ee32c6d343149d1faaca0b735733d177af1c11cbe5ead694bf7e9a106017fb56023b779dfad4f6ceccc5b91fd3e9b890c187c5
SSDEEP

12288:paIJZRxQe8CBNKJ/3ISJFiT32e6MJE+8MOUBXiPb:0ID8aB0F4Sjm2e5+jWiPb

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

dmutslad.exe

pid process

1656 dmutslad.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1972 cmd.exe

pid	process
1656	dmutslad.exe

pid	process
1972	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfscels = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Blb_aext\\dmutslad.exe"	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.execmd.execmd.exe

description	pid	process	target process
PID 1884 wrote to memory of 2000	1884	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe	cmd.exe
PID 1884 wrote to memory of 2000	1884	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe	cmd.exe
PID 1884 wrote to memory of 2000	1884	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe	cmd.exe
PID 1884 wrote to memory of 2000	1884	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe	cmd.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	cmd.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	cmd.exe
PID 1972 wrote to memory of 1656	1972	cmd.exe	dmutslad.exe
PID 1972 wrote to memory of 1656	1972	cmd.exe	dmutslad.exe
PID 1972 wrote to memory of 1656	1972	cmd.exe	dmutslad.exe
PID 1972 wrote to memory of 1656	1972	cmd.exe	dmutslad.exe

C:\Users\Admin\AppData\Local\Temp\b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe
"C:\Users\Admin\AppData\Local\Temp\b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4868\3029.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Blb_aext\dmutslad.exe" "C:\Users\Admin\AppData\Local\Temp\B75FF7~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Blb_aext\dmutslad.exe" "C:\Users\Admin\AppData\Local\Temp\B75FF7~1.EXE""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\MICROS~1\Blb_aext\dmutslad.exe
"C:\Users\Admin\AppData\Roaming\MICROS~1\Blb_aext\dmutslad.exe" "C:\Users\Admin\AppData\Local\Temp\B75FF7~1.EXE"
4⤵
- Executes dropped EXE
PID:1656

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4868\3029.bat
Filesize
108B

MD5
843986ce70003e5fbb5ad05cdff24d08

SHA1
1bead0af3d631a660583f4f485974761a24c3bb2

SHA256
3652591f6319dd7f3028e520409ee92fc61ce7e7f46f7633b392b696ea599260

SHA512
58a1f824fd8a804b64acdc1fd7277eb973e3beac15d6bf7882698178a88e9f64849ed82f7ea3160a5dcbe9e4a09e9f062d46071e899b875ec362930af5d10826

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Blb_aext\dmutslad.exe
Filesize
569KB

MD5
b903665c8fbd50d6bf8cdd3fb2925146

SHA1
6236fccb03ebe21b5b8d72443d4edf71384c045c

SHA256
b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692

SHA512
ad0a270a857b2165513bb0f2a0ee32c6d343149d1faaca0b735733d177af1c11cbe5ead694bf7e9a106017fb56023b779dfad4f6ceccc5b91fd3e9b890c187c5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Blb_aext\dmutslad.exe
Filesize
569KB

MD5
b903665c8fbd50d6bf8cdd3fb2925146

SHA1
6236fccb03ebe21b5b8d72443d4edf71384c045c

SHA256
b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692

SHA512
ad0a270a857b2165513bb0f2a0ee32c6d343149d1faaca0b735733d177af1c11cbe5ead694bf7e9a106017fb56023b779dfad4f6ceccc5b91fd3e9b890c187c5

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Blb_aext\dmutslad.exe
Filesize
569KB

MD5
b903665c8fbd50d6bf8cdd3fb2925146

SHA1
6236fccb03ebe21b5b8d72443d4edf71384c045c

SHA256
b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692

SHA512
ad0a270a857b2165513bb0f2a0ee32c6d343149d1faaca0b735733d177af1c11cbe5ead694bf7e9a106017fb56023b779dfad4f6ceccc5b91fd3e9b890c187c5

Download Submit
memory/1656-65-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1884-58-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1884-60-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1972-62-0x0000000000000000-mapping.dmp

Download
memory/2000-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing