gozi_ifsb | 2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

General

Target

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe
Size

430KB
MD5

8730820fabb55d15f327b8bca8ade887
SHA1

e20c2ec38086bfd9760925f055e13d286bdd0aa3
SHA256

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af
SHA512

dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034
SSDEEP

12288:/4SwXkbqJNiIeJY4kLm7lszLu0j4/VR7VXQfj:gSZ+TiIeJCLm7z4qVR7V

Score

10^/10

gozi_ifsb 10008 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10008

C2

jscallowallowallowjcli.me

disallowjscuserallow.pw

Attributes

build
215801
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0x246640bb
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Appxplua.exe

pid process

4800 Appxplua.exe

pid	process
4800	Appxplua.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\altsangs = "C:\\Users\\Admin\\AppData\\Roaming\\baseeMas\\Appxplua.exe"	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Appxplua.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 4800 set thread context of 4828	4800	Appxplua.exe	svchost.exe
PID 4828 set thread context of 2484	4828	svchost.exe	Explorer.EXE
PID 2484 set thread context of 3424	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 set thread context of 3696	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 set thread context of 4648	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 set thread context of 4764	2484	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Appxplua.exeExplorer.EXE

pid process

4800 Appxplua.exe
4800 Appxplua.exe
2484 Explorer.EXE
2484 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2484 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Appxplua.exesvchost.exeExplorer.EXE

pid process

4800 Appxplua.exe
4828 svchost.exe
2484 Explorer.EXE
2484 Explorer.EXE
2484 Explorer.EXE
2484 Explorer.EXE

pid	process
4800	Appxplua.exe
4800	Appxplua.exe
2484	Explorer.EXE
2484	Explorer.EXE

pid	process
2484	Explorer.EXE

pid	process
4800	Appxplua.exe
4828	svchost.exe
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE
Token: SeShutdownPrivilege	3424	RuntimeBroker.exe
Token: SeShutdownPrivilege	3424	RuntimeBroker.exe
Token: SeShutdownPrivilege	3424	RuntimeBroker.exe
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2484 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2484 Explorer.EXE

pid	process
2484	Explorer.EXE

pid	process
2484	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.execmd.execmd.exeAppxplua.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 2120 wrote to memory of 4884	2120	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe	cmd.exe
PID 2120 wrote to memory of 4884	2120	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe	cmd.exe
PID 2120 wrote to memory of 4884	2120	2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe	cmd.exe
PID 4884 wrote to memory of 4924	4884	cmd.exe	cmd.exe
PID 4884 wrote to memory of 4924	4884	cmd.exe	cmd.exe
PID 4884 wrote to memory of 4924	4884	cmd.exe	cmd.exe
PID 4924 wrote to memory of 4800	4924	cmd.exe	Appxplua.exe
PID 4924 wrote to memory of 4800	4924	cmd.exe	Appxplua.exe
PID 4924 wrote to memory of 4800	4924	cmd.exe	Appxplua.exe
PID 4800 wrote to memory of 4828	4800	Appxplua.exe	svchost.exe
PID 4800 wrote to memory of 4828	4800	Appxplua.exe	svchost.exe
PID 4800 wrote to memory of 4828	4800	Appxplua.exe	svchost.exe
PID 4800 wrote to memory of 4828	4800	Appxplua.exe	svchost.exe
PID 4800 wrote to memory of 4828	4800	Appxplua.exe	svchost.exe
PID 4828 wrote to memory of 2484	4828	svchost.exe	Explorer.EXE
PID 4828 wrote to memory of 2484	4828	svchost.exe	Explorer.EXE
PID 4828 wrote to memory of 2484	4828	svchost.exe	Explorer.EXE
PID 2484 wrote to memory of 3424	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 3424	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 3424	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 3696	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 3696	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 3696	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 4648	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 4648	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 4648	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 4764	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 4764	2484	Explorer.EXE	RuntimeBroker.exe
PID 2484 wrote to memory of 4764	2484	Explorer.EXE	RuntimeBroker.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe
"C:\Users\Admin\AppData\Local\Temp\2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1080\8840.bat" "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\2952A6~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\2952A6~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
"C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\2952A6~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1080\8840.bat
Filesize
112B

MD5
fe00238ad7cf704b054bcb613210a365

SHA1
1c27155e2b1ac28c5e2075aaa4d141bd97a286bf

SHA256
d94f3951224822cb7ff476a18259fae27dbba0ae99060465ad18e2b4580fca82

SHA512
10efd96c287386b952741500175b9495b213f08546f46f204228ab50e94e57ccd5cef305038ba497ce18773d245dcb5eca732ec8c10eb8aa5c86924b3bda507a

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
Filesize
430KB

MD5
8730820fabb55d15f327b8bca8ade887

SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3

SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
Filesize
430KB

MD5
8730820fabb55d15f327b8bca8ade887

SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3

SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af

SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034

Download Submit
memory/2120-135-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2120-132-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2484-153-0x0000000008230000-0x0000000008323000-memory.dmp

Filesize
972KB

Download
memory/2484-148-0x0000000008230000-0x0000000008323000-memory.dmp

Filesize
972KB

Download
memory/3424-149-0x0000020213A40000-0x0000020213B33000-memory.dmp

Filesize
972KB

Download
memory/3696-150-0x00000119D5D20000-0x00000119D5E13000-memory.dmp

Filesize
972KB

Download
memory/4648-151-0x000001658B960000-0x000001658BA53000-memory.dmp

Filesize
972KB

Download
memory/4764-152-0x0000020193000000-0x00000201930F3000-memory.dmp

Filesize
972KB

Download
memory/4800-139-0x0000000000000000-mapping.dmp

Download
memory/4800-146-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4828-145-0x0000000000000000-mapping.dmp

Download
memory/4828-147-0x0000000000290000-0x0000000000383000-memory.dmp

Filesize
972KB

Download
memory/4884-136-0x0000000000000000-mapping.dmp

Download
memory/4924-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads