gozi_ifsb | 514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54

General

Target

514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe
Size

497KB
MD5

607b8176885a9c8c8f2be0067ee9aeba
SHA1

7bbe505272fac18a05491b0c6f6bc92a7c26dc23
SHA256

514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54
SHA512

372eda54a5ddba51de3f091df58d00d451bb83820d79b3f97209dfbfda6991a3e3f5647b8ba0291b80b1d6322cef844ced08c7a74e0cf280b86455f00fc626a8
SSDEEP

12288:U80ftiYRgLLrxRzG6h2/8E9rK/PIEIkqv59SLes:10tjRgXG6h2D04EIkqv5UV

Score

10^/10

gozi_ifsb 1000 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

C2

rastobona.com

artefaki.com

spamhouseanilingus.ru

gazitivaton.ru

Attributes

build
200000
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Appxplua.exe

pid process

5100 Appxplua.exe

pid	process
5100	Appxplua.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\altsangs = "C:\\Users\\Admin\\AppData\\Roaming\\baseeMas\\Appxplua.exe"	514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Appxplua.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 5100 set thread context of 5036	5100	Appxplua.exe	svchost.exe
PID 5036 set thread context of 380	5036	svchost.exe	Explorer.EXE
PID 380 set thread context of 3408	380	Explorer.EXE	RuntimeBroker.exe
PID 380 set thread context of 3704	380	Explorer.EXE	RuntimeBroker.exe
PID 380 set thread context of 4752	380	Explorer.EXE	RuntimeBroker.exe
PID 380 set thread context of 4704	380	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Appxplua.exeExplorer.EXE

pid process

5100 Appxplua.exe
5100 Appxplua.exe
380 Explorer.EXE
380 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

380 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Appxplua.exesvchost.exeExplorer.EXE

pid process

5100 Appxplua.exe
5036 svchost.exe
380 Explorer.EXE
380 Explorer.EXE
380 Explorer.EXE
380 Explorer.EXE

pid	process
5100	Appxplua.exe
5100	Appxplua.exe
380	Explorer.EXE
380	Explorer.EXE

pid	process
380	Explorer.EXE

pid	process
5100	Appxplua.exe
5036	svchost.exe
380	Explorer.EXE
380	Explorer.EXE
380	Explorer.EXE
380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3408	RuntimeBroker.exe
Token: SeShutdownPrivilege	3408	RuntimeBroker.exe
Token: SeShutdownPrivilege	3408	RuntimeBroker.exe
Token: SeShutdownPrivilege	380	Explorer.EXE
Token: SeCreatePagefilePrivilege	380	Explorer.EXE
Token: SeShutdownPrivilege	380	Explorer.EXE
Token: SeCreatePagefilePrivilege	380	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

380 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

380 Explorer.EXE

pid	process
380	Explorer.EXE

pid	process
380	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.execmd.execmd.exeAppxplua.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 5024 wrote to memory of 2500	5024	514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe	cmd.exe
PID 5024 wrote to memory of 2500	5024	514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe	cmd.exe
PID 5024 wrote to memory of 2500	5024	514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe	cmd.exe
PID 2500 wrote to memory of 4824	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 4824	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 4824	2500	cmd.exe	cmd.exe
PID 4824 wrote to memory of 5100	4824	cmd.exe	Appxplua.exe
PID 4824 wrote to memory of 5100	4824	cmd.exe	Appxplua.exe
PID 4824 wrote to memory of 5100	4824	cmd.exe	Appxplua.exe
PID 5100 wrote to memory of 5036	5100	Appxplua.exe	svchost.exe
PID 5100 wrote to memory of 5036	5100	Appxplua.exe	svchost.exe
PID 5100 wrote to memory of 5036	5100	Appxplua.exe	svchost.exe
PID 5100 wrote to memory of 5036	5100	Appxplua.exe	svchost.exe
PID 5100 wrote to memory of 5036	5100	Appxplua.exe	svchost.exe
PID 5036 wrote to memory of 380	5036	svchost.exe	Explorer.EXE
PID 5036 wrote to memory of 380	5036	svchost.exe	Explorer.EXE
PID 5036 wrote to memory of 380	5036	svchost.exe	Explorer.EXE
PID 380 wrote to memory of 3408	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 3408	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 3408	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 3704	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 3704	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 3704	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 4752	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 4752	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 4752	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 4704	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 4704	380	Explorer.EXE	RuntimeBroker.exe
PID 380 wrote to memory of 4704	380	Explorer.EXE	RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3704

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe
"C:\Users\Admin\AppData\Local\Temp\514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9638\51B6.bat" "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\514B0D~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\514B0D~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
"C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\514B0D~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9638\51B6.bat
Filesize
112B

MD5
798567b8fc66be01ff3a11d7cb2cbb05

SHA1
4ffc63f59a2ce00c0e94a2fd43d5ab767b325e15

SHA256
354c636fa48948869c7e78a5b0e160819345fd628417f3d58aa22d99f4f2d10e

SHA512
9ca26b50e4d60c8975c1a9325a3d43b548d20829e336df40701825b07156035ba75ab7e4d9ca25fddecbd444d66eedc00c11ee926147b011479c3a163e401c8d

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
Filesize
497KB

MD5
607b8176885a9c8c8f2be0067ee9aeba

SHA1
7bbe505272fac18a05491b0c6f6bc92a7c26dc23

SHA256
514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54

SHA512
372eda54a5ddba51de3f091df58d00d451bb83820d79b3f97209dfbfda6991a3e3f5647b8ba0291b80b1d6322cef844ced08c7a74e0cf280b86455f00fc626a8

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
Filesize
497KB

MD5
607b8176885a9c8c8f2be0067ee9aeba

SHA1
7bbe505272fac18a05491b0c6f6bc92a7c26dc23

SHA256
514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54

SHA512
372eda54a5ddba51de3f091df58d00d451bb83820d79b3f97209dfbfda6991a3e3f5647b8ba0291b80b1d6322cef844ced08c7a74e0cf280b86455f00fc626a8

Download Submit
memory/380-154-0x0000000005110000-0x00000000051F9000-memory.dmp

Filesize
932KB

Download
memory/380-150-0x0000000005110000-0x00000000051F9000-memory.dmp

Filesize
932KB

Download
memory/2500-136-0x0000000000000000-mapping.dmp

Download
memory/3408-149-0x00000298F2990000-0x00000298F2A79000-memory.dmp

Filesize
932KB

Download
memory/3704-151-0x00000169AA2D0000-0x00000169AA3B9000-memory.dmp

Filesize
932KB

Download
memory/4704-153-0x000001D98FC00000-0x000001D98FCE9000-memory.dmp

Filesize
932KB

Download
memory/4752-152-0x000002247B2B0000-0x000002247B399000-memory.dmp

Filesize
932KB

Download
memory/4824-138-0x0000000000000000-mapping.dmp

Download
memory/5024-132-0x0000000000C00000-0x0000000000C03000-memory.dmp

Filesize
12KB

Download
memory/5024-135-0x0000000000C10000-0x0000000000C13000-memory.dmp

Filesize
12KB

Download
memory/5024-133-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5036-146-0x0000000000000000-mapping.dmp

Download
memory/5036-147-0x0000000000F60000-0x0000000001049000-memory.dmp

Filesize
932KB

Download
memory/5036-148-0x0000000000F60000-0x0000000001049000-memory.dmp

Filesize
932KB

Download
memory/5100-145-0x0000000000560000-0x0000000000563000-memory.dmp

Filesize
12KB

Download
memory/5100-144-0x0000000000550000-0x0000000000553000-memory.dmp

Filesize
12KB

Download
memory/5100-142-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5100-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads