gozi_ifsb | 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

General

Target

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe
Size

428KB
MD5

e068e708d5b8a92634bc14e782243700
SHA1

cb249d47bf5d02a7f150085bb9ebedd437454105
SHA256

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab
SHA512

289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5
SSDEEP

12288:brmFLGnyRj3cBRrAeMFSwxHDmfn3AAxifDBJ:+KyRj3cBRSbxj1RVJ

Score

10^/10

gozi_ifsb 1071 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1071

C2

127.0.0.1

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

adsnptsp.exe

pid process

1660 adsnptsp.exe

pid	process
1660	adsnptsp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppRvice = "C:\\Users\\Admin\\AppData\\Roaming\\audibapi\\adsnptsp.exe"	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3520 1660 WerFault.exe adsnptsp.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

adsnptsp.exe

pid process

1660 adsnptsp.exe
1660 adsnptsp.exe

pid	pid_target	process	target process
3520	1660	WerFault.exe	adsnptsp.exe

pid	process
1660	adsnptsp.exe
1660	adsnptsp.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.execmd.execmd.exeadsnptsp.exe

description	pid	process	target process
PID 4860 wrote to memory of 4856	4860	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe	cmd.exe
PID 4860 wrote to memory of 4856	4860	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe	cmd.exe
PID 4860 wrote to memory of 4856	4860	249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe	cmd.exe
PID 4856 wrote to memory of 4504	4856	cmd.exe	cmd.exe
PID 4856 wrote to memory of 4504	4856	cmd.exe	cmd.exe
PID 4856 wrote to memory of 4504	4856	cmd.exe	cmd.exe
PID 4504 wrote to memory of 1660	4504	cmd.exe	adsnptsp.exe
PID 4504 wrote to memory of 1660	4504	cmd.exe	adsnptsp.exe
PID 4504 wrote to memory of 1660	4504	cmd.exe	adsnptsp.exe
PID 1660 wrote to memory of 1204	1660	adsnptsp.exe	svchost.exe
PID 1660 wrote to memory of 1204	1660	adsnptsp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe
"C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAA8\CAA9.bat" "C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe
"C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 564
5⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1660 -ip 1660
1⤵
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CAA8\CAA9.bat
Filesize
112B

MD5
9fb729d63ca02e751668f9b571602ac2

SHA1
0e20f31830b7d3b2dd5c69f48b742137b342c38a

SHA256
a1a2f67f724878c180a9128079586377d79b0bbbb251710294cfe1336037c8d9

SHA512
3bdd3ff5bcd38dfe80883ff0ad271d47313f0048a48ebace73714fee2848ebcc4e5eaf89649035ad28c44805cd76916c17537db6482bcba5c34b2840952ec593

Download Submit
C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe
Filesize
428KB

MD5
e068e708d5b8a92634bc14e782243700

SHA1
cb249d47bf5d02a7f150085bb9ebedd437454105

SHA256
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

SHA512
289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5

Download Submit
C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe
Filesize
428KB

MD5
e068e708d5b8a92634bc14e782243700

SHA1
cb249d47bf5d02a7f150085bb9ebedd437454105

SHA256
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab

SHA512
289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5

Download Submit
memory/1660-139-0x0000000000000000-mapping.dmp

Download
memory/1660-142-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1660-144-0x00000000004E0000-0x00000000004E7000-memory.dmp

Filesize
28KB

Download
memory/1660-145-0x0000000000530000-0x0000000000533000-memory.dmp

Filesize
12KB

Download
memory/4504-138-0x0000000000000000-mapping.dmp

Download
memory/4856-136-0x0000000000000000-mapping.dmp

Download
memory/4860-132-0x0000000000A40000-0x0000000000A47000-memory.dmp

Filesize
28KB

Download
memory/4860-133-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4860-135-0x0000000000A90000-0x0000000000A93000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads