gozi_ifsb | 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

General

Target

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe
Size

428KB
MD5

e068e708d5b8a92634bc14e782243700
SHA1

cb249d47bf5d02a7f150085bb9ebedd437454105
SHA256

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab
SHA512

289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5
SSDEEP

12288:brmFLGnyRj3cBRrAeMFSwxHDmfn3AAxifDBJ:+KyRj3cBRSbxj1RVJ

Score

10^/10

gozi_ifsb 1071 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1071

C2

127.0.0.1

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

dsroXP32.exe

pid process

1472 dsroXP32.exe
Deletes itself 1 IoCs

Processes:

dsroXP32.exe

pid process

1472 dsroXP32.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

316 cmd.exe
316 cmd.exe

pid	process
1472	dsroXP32.exe

pid	process
1472	dsroXP32.exe

pid	process
316	cmd.exe
316	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmvdXT32 = "C:\\Users\\Admin\\AppData\\Roaming\\clbcwcfg\\dsroXP32.exe"	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dsroXP32.exesvchost.exe

description	pid	process	target process
PID 1472 set thread context of 280	1472	dsroXP32.exe	svchost.exe
PID 280 set thread context of 1268	280	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dsroXP32.exeExplorer.EXE

pid process

1472 dsroXP32.exe
1268 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

dsroXP32.exesvchost.exe

pid process

1472 dsroXP32.exe
280 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 1268 Explorer.EXE
Token: SeShutdownPrivilege 1268 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE

pid	process
1472	dsroXP32.exe
1268	Explorer.EXE

pid	process
1268	Explorer.EXE

pid	process
1472	dsroXP32.exe
280	svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.execmd.execmd.exedsroXP32.exesvchost.exe

description	pid	process	target process
PID 1896 wrote to memory of 896	1896	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe	cmd.exe
PID 1896 wrote to memory of 896	1896	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe	cmd.exe
PID 1896 wrote to memory of 896	1896	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe	cmd.exe
PID 1896 wrote to memory of 896	1896	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe	cmd.exe
PID 896 wrote to memory of 316	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 316	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 316	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 316	896	cmd.exe	cmd.exe
PID 316 wrote to memory of 1472	316	cmd.exe	dsroXP32.exe
PID 316 wrote to memory of 1472	316	cmd.exe	dsroXP32.exe
PID 316 wrote to memory of 1472	316	cmd.exe	dsroXP32.exe
PID 316 wrote to memory of 1472	316	cmd.exe	dsroXP32.exe
PID 1472 wrote to memory of 280	1472	dsroXP32.exe	svchost.exe
PID 1472 wrote to memory of 280	1472	dsroXP32.exe	svchost.exe
PID 1472 wrote to memory of 280	1472	dsroXP32.exe	svchost.exe
PID 1472 wrote to memory of 280	1472	dsroXP32.exe	svchost.exe
PID 1472 wrote to memory of 280	1472	dsroXP32.exe	svchost.exe
PID 1472 wrote to memory of 280	1472	dsroXP32.exe	svchost.exe
PID 1472 wrote to memory of 280	1472	dsroXP32.exe	svchost.exe
PID 280 wrote to memory of 1268	280	svchost.exe	Explorer.EXE
PID 280 wrote to memory of 1268	280	svchost.exe	Explorer.EXE
PID 280 wrote to memory of 1268	280	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe
"C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\21A5\10.bat" "C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
"C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21A5\10.bat
Filesize
108B

MD5
49281a2f6a11ce8b692e26ce56bf25cc

SHA1
cdb6d1693cd9d39e8bb656813a2adc823c6b5040

SHA256
c44e454ce5e90c2ae2b1c8b3206643527d06ac0b622c20b6cd8d5d93fbdb33e0

SHA512
b7c1e1d74f2e36b41e57dd65deb0456642c5ae8fc144dd722e0075faa39b09e0993cbe0daab7b753fb2fab7bec9b68f274e24b4a043a00fd4f4b6712a974c39b

Download Submit
C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
428KB

MD5
e068e708d5b8a92634bc14e782243700

SHA1
cb249d47bf5d02a7f150085bb9ebedd437454105

SHA256
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

SHA512
289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5

Download Submit
C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
428KB

MD5
e068e708d5b8a92634bc14e782243700

SHA1
cb249d47bf5d02a7f150085bb9ebedd437454105

SHA256
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

SHA512
289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5

Download Submit
\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
428KB

MD5
e068e708d5b8a92634bc14e782243700

SHA1
cb249d47bf5d02a7f150085bb9ebedd437454105

SHA256
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

SHA512
289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5

Download Submit
\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
428KB

MD5
e068e708d5b8a92634bc14e782243700

SHA1
cb249d47bf5d02a7f150085bb9ebedd437454105

SHA256
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

SHA512
289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5

Download Submit
memory/280-73-0x00000000001E0000-0x0000000000263000-memory.dmp

Filesize
524KB

Download
memory/280-72-0x0000000000000000-mapping.dmp

Download
memory/316-61-0x0000000000000000-mapping.dmp

Download
memory/896-59-0x0000000000000000-mapping.dmp

Download
memory/1268-74-0x0000000003B90000-0x0000000003C13000-memory.dmp

Filesize
524KB

Download
memory/1268-75-0x0000000003B90000-0x0000000003C13000-memory.dmp

Filesize
524KB

Download
memory/1472-65-0x0000000000000000-mapping.dmp

Download
memory/1472-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1472-70-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/1472-71-0x0000000000200000-0x0000000000203000-memory.dmp

Filesize
12KB

Download
memory/1896-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1896-58-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1896-57-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/1896-55-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads