gozi_ifsb | 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

General

Target

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
Size

418KB
MD5

b8ea5cdd085bea860fb94bef2fecb6d9
SHA1

3788cec204c0f2f6fe674fba85895f99f48a1f23
SHA256

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
SHA512

45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632
SSDEEP

12288:4r7ox3gdRAAzI+L7sCcDIg54qlcepleY:43ox3ghzHsIg2yvU

Score

10^/10

gozi_ifsb 1100 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1100

C2

cyajon.at/krp3cmg

hipohook.cn/krp3cmg

rokolero.at/krp3cmg

arexan.at/krp3cmg

voligon.cn/krp3cmg

qwevigoc.at/krp3cmg

comerail.su/krp3cmg

boombom.at/krp3cmg

xiloker.cn/krp3cmg

xorewopa.at/krp3cmg

goinumder.su/krp3cmg

ribomoon.cn/krp3cmg

ambikooly.at/krp3cmg

therepalon.su/krp3cmg

chikoole.cn/krp3cmg

Attributes

build
214837
exe_type
worker
server_id
110

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

audiApis.exe

pid process

3440 audiApis.exe

pid	process
3440	audiApis.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe

Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atl1uthz = "C:\\Users\\Admin\\AppData\\Roaming\\clfsgacy\\audiApis.exe"	3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

audiApis.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 3440 set thread context of 3624	3440	audiApis.exe	svchost.exe
PID 3624 set thread context of 2984	3624	svchost.exe	Explorer.EXE
PID 2984 set thread context of 3424	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 set thread context of 3692	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 set thread context of 4596	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 set thread context of 544	2984	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

audiApis.exeExplorer.EXE

pid process

3440 audiApis.exe
3440 audiApis.exe
2984 Explorer.EXE
2984 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2984 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

audiApis.exesvchost.exeExplorer.EXE

pid process

3440 audiApis.exe
3624 svchost.exe
2984 Explorer.EXE
2984 Explorer.EXE
2984 Explorer.EXE
2984 Explorer.EXE

pid	process
3440	audiApis.exe
3440	audiApis.exe
2984	Explorer.EXE
2984	Explorer.EXE

pid	process
2984	Explorer.EXE

pid	process
3440	audiApis.exe
3624	svchost.exe
2984	Explorer.EXE
2984	Explorer.EXE
2984	Explorer.EXE
2984	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	2984	Explorer.EXE
Token: SeCreatePagefilePrivilege	2984	Explorer.EXE
Token: SeShutdownPrivilege	3424	RuntimeBroker.exe
Token: SeShutdownPrivilege	3424	RuntimeBroker.exe
Token: SeShutdownPrivilege	3424	RuntimeBroker.exe
Token: SeShutdownPrivilege	2984	Explorer.EXE
Token: SeCreatePagefilePrivilege	2984	Explorer.EXE
Token: SeShutdownPrivilege	2984	Explorer.EXE
Token: SeCreatePagefilePrivilege	2984	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exeaudiApis.exe

pid process

3420 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
3440 audiApis.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exeaudiApis.exe

pid process

3420 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
3440 audiApis.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2984 Explorer.EXE

pid	process
3420	3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
3440	audiApis.exe

pid	process
3420	3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
3440	audiApis.exe

pid	process
2984	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.execmd.execmd.exeaudiApis.exesvchost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3420 wrote to memory of 2704	3420	3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe	cmd.exe
PID 3420 wrote to memory of 2704	3420	3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe	cmd.exe
PID 3420 wrote to memory of 2704	3420	3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe	cmd.exe
PID 2704 wrote to memory of 3412	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 3412	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 3412	2704	cmd.exe	cmd.exe
PID 3412 wrote to memory of 3440	3412	cmd.exe	audiApis.exe
PID 3412 wrote to memory of 3440	3412	cmd.exe	audiApis.exe
PID 3412 wrote to memory of 3440	3412	cmd.exe	audiApis.exe
PID 3440 wrote to memory of 3624	3440	audiApis.exe	svchost.exe
PID 3440 wrote to memory of 3624	3440	audiApis.exe	svchost.exe
PID 3440 wrote to memory of 3624	3440	audiApis.exe	svchost.exe
PID 3440 wrote to memory of 3624	3440	audiApis.exe	svchost.exe
PID 3440 wrote to memory of 3624	3440	audiApis.exe	svchost.exe
PID 3624 wrote to memory of 2984	3624	svchost.exe	Explorer.EXE
PID 3624 wrote to memory of 2984	3624	svchost.exe	Explorer.EXE
PID 3624 wrote to memory of 2984	3624	svchost.exe	Explorer.EXE
PID 2984 wrote to memory of 3424	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 3424	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 3424	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 3692	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 3692	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 3692	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 4596	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 4596	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 4596	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 544	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 544	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 544	2984	Explorer.EXE	RuntimeBroker.exe
PID 2984 wrote to memory of 1704	2984	Explorer.EXE	cmd.exe
PID 2984 wrote to memory of 1704	2984	Explorer.EXE	cmd.exe
PID 1704 wrote to memory of 2096	1704	cmd.exe	nslookup.exe
PID 1704 wrote to memory of 2096	1704	cmd.exe	nslookup.exe
PID 2984 wrote to memory of 444	2984	Explorer.EXE	cmd.exe
PID 2984 wrote to memory of 444	2984	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4596

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3692

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
  "C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EBA2\75D1.bat" "C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe
        
        "C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3624
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2FC6.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2FC6.bi1"
  2⤵
  PID:444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2FC6.bi1

Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FC6.bi1

Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBA2\75D1.bat

Filesize
112B

MD5
5fc401d2a575bc2f2091c704f3dc12c6

SHA1
f42d307e59ef42fdfdeef5752fcea5290e320d42

SHA256
4fea69b6a9839d8ef7adbbded58f5dbaef7de63c9bcb1181981e1636dbbceb8f

SHA512
39964b8c02f9c39f48db87a66d7fde63db21aa4a19aa271aad525a18f4e9408b80e6a08e7a98748352a31f98cd2b8f4b8bba9fe1a3173e69e7e72d5e30c09615

Download Submit
C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe

Filesize
418KB

MD5
b8ea5cdd085bea860fb94bef2fecb6d9

SHA1
3788cec204c0f2f6fe674fba85895f99f48a1f23

SHA256
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

SHA512
45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

Download Submit
C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe

Filesize
418KB

MD5
b8ea5cdd085bea860fb94bef2fecb6d9

SHA1
3788cec204c0f2f6fe674fba85895f99f48a1f23

SHA256
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

SHA512
45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

Download Submit
memory/444-154-0x0000000000000000-mapping.dmp

Download
memory/544-150-0x000001E8D3640000-0x000001E8D36CE000-memory.dmp

Filesize
568KB

Download
memory/1704-152-0x0000000000000000-mapping.dmp

Download
memory/2096-153-0x0000000000000000-mapping.dmp

Download
memory/2704-135-0x0000000000000000-mapping.dmp

Download
memory/2984-146-0x00000000086C0000-0x000000000874E000-memory.dmp

Filesize
568KB

Download
memory/2984-151-0x00000000086C0000-0x000000000874E000-memory.dmp

Filesize
568KB

Download
memory/3412-137-0x0000000000000000-mapping.dmp

Download
memory/3420-132-0x0000000002A60000-0x0000000002A82000-memory.dmp

Filesize
136KB

Download
memory/3420-133-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3424-147-0x000002D9468C0000-0x000002D94694E000-memory.dmp

Filesize
568KB

Download
memory/3440-142-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3440-141-0x0000000002920000-0x0000000002942000-memory.dmp

Filesize
136KB

Download
memory/3440-138-0x0000000000000000-mapping.dmp

Download
memory/3624-144-0x0000000000000000-mapping.dmp

Download
memory/3624-145-0x0000000000240000-0x00000000002CE000-memory.dmp

Filesize
568KB

Download
memory/3692-148-0x000001F0B3D50000-0x000001F0B3DDE000-memory.dmp

Filesize
568KB

Download
memory/4596-149-0x000002AA76860000-0x000002AA768EE000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads