gozi_ifsb | 42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676

General

Target

42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe
Size

437KB
MD5

b5f35ddf66046061fe55935b2bb210c8
SHA1

1b0cc49bdbc8959938088747c048fc98b8386bad
SHA256

42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
SHA512

a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265
SSDEEP

6144:nuU4My6j817/7TodFsGN858k31BSZW5lV3QfZ0SHKDGiRX8AeZ+oDsCgu77+YESv:nuuyt7jTodFzjUD5AfZ0cUGW8V6QcAHd

Score

10^/10

gozi_ifsb 1001 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1001

Attributes

build
215840
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
exe_type
worker
server_id
93

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Appxplua.exe

pid process

4996 Appxplua.exe

pid	process
4996	Appxplua.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\altsangs = "C:\\Users\\Admin\\AppData\\Roaming\\baseeMas\\Appxplua.exe"	42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Appxplua.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 4996 set thread context of 2676	4996	Appxplua.exe	svchost.exe
PID 2676 set thread context of 2220	2676	svchost.exe	Explorer.EXE
PID 2220 set thread context of 3420	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 set thread context of 3712	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 set thread context of 4708	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 set thread context of 5064	2220	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Appxplua.exeExplorer.EXE

pid process

4996 Appxplua.exe
4996 Appxplua.exe
2220 Explorer.EXE
2220 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2220 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Appxplua.exesvchost.exeExplorer.EXE

pid process

4996 Appxplua.exe
2676 svchost.exe
2220 Explorer.EXE
2220 Explorer.EXE
2220 Explorer.EXE
2220 Explorer.EXE

pid	process
4996	Appxplua.exe
4996	Appxplua.exe
2220	Explorer.EXE
2220	Explorer.EXE

pid	process
2220	Explorer.EXE

pid	process
4996	Appxplua.exe
2676	svchost.exe
2220	Explorer.EXE
2220	Explorer.EXE
2220	Explorer.EXE
2220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2220	Explorer.EXE
Token: SeCreatePagefilePrivilege	2220	Explorer.EXE
Token: SeShutdownPrivilege	2220	Explorer.EXE
Token: SeCreatePagefilePrivilege	2220	Explorer.EXE
Token: SeShutdownPrivilege	2220	Explorer.EXE
Token: SeCreatePagefilePrivilege	2220	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2220 Explorer.EXE

pid	process
2220	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.execmd.execmd.exeAppxplua.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 3348 wrote to memory of 3740	3348	42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe	cmd.exe
PID 3348 wrote to memory of 3740	3348	42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe	cmd.exe
PID 3348 wrote to memory of 3740	3348	42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe	cmd.exe
PID 3740 wrote to memory of 3640	3740	cmd.exe	cmd.exe
PID 3740 wrote to memory of 3640	3740	cmd.exe	cmd.exe
PID 3740 wrote to memory of 3640	3740	cmd.exe	cmd.exe
PID 3640 wrote to memory of 4996	3640	cmd.exe	Appxplua.exe
PID 3640 wrote to memory of 4996	3640	cmd.exe	Appxplua.exe
PID 3640 wrote to memory of 4996	3640	cmd.exe	Appxplua.exe
PID 4996 wrote to memory of 2676	4996	Appxplua.exe	svchost.exe
PID 4996 wrote to memory of 2676	4996	Appxplua.exe	svchost.exe
PID 4996 wrote to memory of 2676	4996	Appxplua.exe	svchost.exe
PID 4996 wrote to memory of 2676	4996	Appxplua.exe	svchost.exe
PID 4996 wrote to memory of 2676	4996	Appxplua.exe	svchost.exe
PID 2676 wrote to memory of 2220	2676	svchost.exe	Explorer.EXE
PID 2676 wrote to memory of 2220	2676	svchost.exe	Explorer.EXE
PID 2676 wrote to memory of 2220	2676	svchost.exe	Explorer.EXE
PID 2220 wrote to memory of 3420	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 3420	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 3420	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 3712	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 3712	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 3712	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 4708	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 4708	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 4708	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 5064	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 5064	2220	Explorer.EXE	RuntimeBroker.exe
PID 2220 wrote to memory of 5064	2220	Explorer.EXE	RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3420

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3712

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe
  "C:\Users\Admin\AppData\Local\Temp\42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3D2C\9E96.bat" "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
        
        "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4996
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3D2C\9E96.bat

Filesize
112B

MD5
cd0da4581114d8a20394c3118e76219e

SHA1
59c42dedccb955507aaf07ceac492b428e708298

SHA256
9f4a52b0ffa2ad75689899e4e8b7d12edbed27882d920ad7bb85f4a7fc5f50d6

SHA512
9e6e8641115cf3cdacf8ce4e836eec4c1330861683c9827ab3705fafc5b0b1dd90f445858221fc736479354de070bc0a3a360cbd44ad2b34f8946824af68d308

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe

Filesize
437KB

MD5
b5f35ddf66046061fe55935b2bb210c8

SHA1
1b0cc49bdbc8959938088747c048fc98b8386bad

SHA256
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676

SHA512
a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe

Filesize
437KB

MD5
b5f35ddf66046061fe55935b2bb210c8

SHA1
1b0cc49bdbc8959938088747c048fc98b8386bad

SHA256
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676

SHA512
a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265

Download Submit
memory/2220-152-0x0000000002E50000-0x0000000002EEB000-memory.dmp

Filesize
620KB

Download
memory/2220-147-0x0000000002E50000-0x0000000002EEB000-memory.dmp

Filesize
620KB

Download
memory/2676-145-0x0000000000000000-mapping.dmp

Download
memory/2676-146-0x00000000004B0000-0x000000000054B000-memory.dmp

Filesize
620KB

Download
memory/3348-133-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3348-132-0x0000000002770000-0x00000000027B4000-memory.dmp

Filesize
272KB

Download
memory/3348-136-0x0000000002770000-0x00000000027B4000-memory.dmp

Filesize
272KB

Download
memory/3420-148-0x00000210D6200000-0x00000210D629B000-memory.dmp

Filesize
620KB

Download
memory/3640-138-0x0000000000000000-mapping.dmp

Download
memory/3712-149-0x0000012D443A0000-0x0000012D4443B000-memory.dmp

Filesize
620KB

Download
memory/3740-135-0x0000000000000000-mapping.dmp

Download
memory/4708-150-0x00000297DEF30000-0x00000297DEFCB000-memory.dmp

Filesize
620KB

Download
memory/4996-142-0x0000000002350000-0x0000000002394000-memory.dmp

Filesize
272KB

Download
memory/4996-143-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4996-139-0x0000000000000000-mapping.dmp

Download
memory/5064-151-0x0000012C40510000-0x0000012C405AB000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads