gozi_ifsb | 2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7

General

Target

2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe
Size

302KB
MD5

fddf052c867459e52b86307ffdd2f0b8
SHA1

471c4e337c3f37d19ed21b1b3ca47caf7f5287fb
SHA256

2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7
SHA512

903d2debcccf78191cec690995e6fa635445d8bb7216b7b88b73755dd74ad295706e81ca3803da7be52cf917bf291cea9915459025b89b32343e63fbd9408f07
SSDEEP

6144:mMMYNXqBBtzd0e6OGxUf4lnWFJuDlw2bt6MY8E/0RMKYrsTL16Qj8iA:qntz28wlPlww6Mfk0R9R4Qj8P

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Loads dropped DLL 2 IoCs

Processes:

2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe

pid	Process
2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe
2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe

description	pid	Process	procid_target
PID 2028 set thread context of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe

description	pid	Process	procid_target
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27
PID 2028 wrote to memory of 1620	2028	2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe	27

C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe
"C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe
  "C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe"
  2⤵
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\brothers.dll

Filesize
68KB

MD5
aa7a954d0ea7dbb90068bdd32d997f2a

SHA1
8a6ec0b72e5000900a71b5eb4bd81dda342a0dd9

SHA256
fda8e2088f7ca3f22d90e0ce3a9e2e466b7a30e96cfc166059156aabab3dea1b

SHA512
2850c7a06a3b03cd4989ee0db61b0b91746489b5ddbdddfc351d30c52147b0cbe6cbecd6c8737fe3ffa11f5db97948472adeb4031f72829205052ae7d24e5d80

Download Submit
\Users\Admin\AppData\Local\Temp\nsd58E.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
memory/1620-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-67-0x0000000000401000-mapping.dmp

Download
memory/1620-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-72-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-57-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads