gozi_ifsb | 2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

General

Target

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe
Size

430KB
MD5

8730820fabb55d15f327b8bca8ade887
SHA1

e20c2ec38086bfd9760925f055e13d286bdd0aa3
SHA256

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af
SHA512

dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034
SSDEEP

12288:/4SwXkbqJNiIeJY4kLm7lszLu0j4/VR7VXQfj:gSZ+TiIeJCLm7z4qVR7V

Score

10^/10

gozi_ifsb 10008 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10008

C2

jscallowallowallowjcli.me

disallowjscuserallow.pw

Attributes

build
215801
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0x246640bb
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

dsroXP32.exe

pid process

1992 dsroXP32.exe
Deletes itself 1 IoCs

Processes:

dsroXP32.exe

pid process

1992 dsroXP32.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1724 cmd.exe
1724 cmd.exe

pid	process
1992	dsroXP32.exe

pid	process
1992	dsroXP32.exe

pid	process
1724	cmd.exe
1724	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmvdXT32 = "C:\\Users\\Admin\\AppData\\Roaming\\clbcwcfg\\dsroXP32.exe"	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dsroXP32.exesvchost.exe

description	pid	process	target process
PID 1992 set thread context of 1976	1992	dsroXP32.exe	svchost.exe
PID 1976 set thread context of 1412	1976	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dsroXP32.exeExplorer.EXE

pid process

1992 dsroXP32.exe
1412 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

dsroXP32.exesvchost.exe

pid process

1992 dsroXP32.exe
1976 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 1412 Explorer.EXE
Token: SeShutdownPrivilege 1412 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE

pid	process
1992	dsroXP32.exe
1412	Explorer.EXE

pid	process
1412	Explorer.EXE

pid	process
1992	dsroXP32.exe
1976	svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1412	Explorer.EXE
Token: SeShutdownPrivilege	1412	Explorer.EXE

pid	process
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.execmd.execmd.exedsroXP32.exesvchost.exe

description	pid	process	target process
PID 1504 wrote to memory of 1904	1504	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe	cmd.exe
PID 1504 wrote to memory of 1904	1504	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe	cmd.exe
PID 1504 wrote to memory of 1904	1504	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe	cmd.exe
PID 1504 wrote to memory of 1904	1504	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe	cmd.exe
PID 1904 wrote to memory of 1724	1904	cmd.exe	cmd.exe
PID 1904 wrote to memory of 1724	1904	cmd.exe	cmd.exe
PID 1904 wrote to memory of 1724	1904	cmd.exe	cmd.exe
PID 1904 wrote to memory of 1724	1904	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1992	1724	cmd.exe	dsroXP32.exe
PID 1724 wrote to memory of 1992	1724	cmd.exe	dsroXP32.exe
PID 1724 wrote to memory of 1992	1724	cmd.exe	dsroXP32.exe
PID 1724 wrote to memory of 1992	1724	cmd.exe	dsroXP32.exe
PID 1992 wrote to memory of 1976	1992	dsroXP32.exe	svchost.exe
PID 1992 wrote to memory of 1976	1992	dsroXP32.exe	svchost.exe
PID 1992 wrote to memory of 1976	1992	dsroXP32.exe	svchost.exe
PID 1992 wrote to memory of 1976	1992	dsroXP32.exe	svchost.exe
PID 1992 wrote to memory of 1976	1992	dsroXP32.exe	svchost.exe
PID 1992 wrote to memory of 1976	1992	dsroXP32.exe	svchost.exe
PID 1992 wrote to memory of 1976	1992	dsroXP32.exe	svchost.exe
PID 1976 wrote to memory of 1412	1976	svchost.exe	Explorer.EXE
PID 1976 wrote to memory of 1412	1976	svchost.exe	Explorer.EXE
PID 1976 wrote to memory of 1412	1976	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Users\Admin\AppData\Local\Temp\2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe
"C:\Users\Admin\AppData\Local\Temp\2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1824\C12.bat" "C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\2952A6~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\2952A6~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
"C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\2952A6~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1824\C12.bat
Filesize
108B

MD5
81bac2582d15efa999fe61dccab3a5c7

SHA1
99043f9c4a1027e6e8257b0ec51ae98206570f29

SHA256
5c1ced2c271c0cfcb9968baa1e32bbd3f9ca6cae2078ed4e4a289c1667cd0b5d

SHA512
152bed418b3f75c7edd37a1d629a3c1cc2d3783e3136d3a9e7ced80135f2b011eac3e9e7eec408c264ab6940239ba4d82d2d73509d77e28a1df79d6c485fe72f

Download Submit
C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
430KB

MD5
8730820fabb55d15f327b8bca8ade887

SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3

SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034

Download Submit
C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
430KB

MD5
8730820fabb55d15f327b8bca8ade887

SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3

SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034

Download Submit
\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
430KB

MD5
8730820fabb55d15f327b8bca8ade887

SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3

SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034

Download Submit
\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe
Filesize
430KB

MD5
8730820fabb55d15f327b8bca8ade887

SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3

SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034

Download Submit
memory/1412-74-0x0000000003F70000-0x0000000004063000-memory.dmp

Filesize
972KB

Download
memory/1504-59-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/1504-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1504-55-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1724-61-0x0000000000000000-mapping.dmp

Download
memory/1904-58-0x0000000000000000-mapping.dmp

Download
memory/1976-71-0x0000000000000000-mapping.dmp

Download
memory/1976-72-0x0000000000420000-0x0000000000513000-memory.dmp

Filesize
972KB

Download
memory/1976-73-0x0000000000420000-0x0000000000513000-memory.dmp

Filesize
972KB

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads