gozi | d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73

General

Target

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
Size

359KB
MD5

a5d00f4f2dc2a70f41f9078e954fa3f7
SHA1

66c366e18ad670127108367df79398f524de28c3
SHA256

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73
SHA512

62d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee
SSDEEP

6144:WiYJpJ1cY/d6fV7QTBpbbFzYyIHuoEUOckLiVfxbW3y2BNmm8:uJr9l65QTbbb93GuoExHLiVfeNx

Score

10^/10

gozi 1010 banker evasion isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

lan.hayloindigo.com/geodata/version/ip2ext

sys.jacentacobb.com/geodata/version/ip2ext

bot.wakeandbakealldaylong.com/geodata/version/ip2ext

adm.cutmedic.com/geodata/version/ip2ext

lansystemstat.com/geodata/version/ip2ext

highnetwork.pw/geodata/version/ip2ext

lostnetwork.in/geodata/version/ip2ext

sysconnections.net/geodata/version/ip2ext

lansupports.com/geodata/version/ip2ext

Attributes

exe_type
worker
server_id
30

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe = "0"	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

Executes dropped EXE 1 IoCs

Processes:

bitsprx3.exe

pid process

604 bitsprx3.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

844 cmd.exe
844 cmd.exe

pid	process
604	bitsprx3.exe

pid	process
844	cmd.exe
844	cmd.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe = "0"	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\C_ISroxy = "C:\\Users\\Admin\\AppData\\Roaming\\authyApi\\bitsprx3.exe"	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

description pid process

Token: SeTakeOwnershipPrivilege 1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exebitsprx3.exe

pid process

1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
604 bitsprx3.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1992	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe

pid	process
1992	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
604	bitsprx3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.execmd.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 1516	1992	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe	cmd.exe
PID 1992 wrote to memory of 1516	1992	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe	cmd.exe
PID 1992 wrote to memory of 1516	1992	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe	cmd.exe
PID 1992 wrote to memory of 1516	1992	d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe	cmd.exe
PID 1516 wrote to memory of 844	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 844	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 844	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 844	1516	cmd.exe	cmd.exe
PID 844 wrote to memory of 604	844	cmd.exe	bitsprx3.exe
PID 844 wrote to memory of 604	844	cmd.exe	bitsprx3.exe
PID 844 wrote to memory of 604	844	cmd.exe	bitsprx3.exe
PID 844 wrote to memory of 604	844	cmd.exe	bitsprx3.exe

C:\Users\Admin\AppData\Local\Temp\d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
"C:\Users\Admin\AppData\Local\Temp\d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe"
1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9AD7\5417.bat" "C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe" "C:\Users\Admin\AppData\Local\Temp\D85A94~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe" "C:\Users\Admin\AppData\Local\Temp\D85A94~1.EXE""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe
"C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe" "C:\Users\Admin\AppData\Local\Temp\D85A94~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:604

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9AD7\5417.bat
Filesize
108B

MD5
eebd0461c3f577d675fdbc22dfa50b5f

SHA1
5b1846cdc6d1d158db07987a95dd82d2c6e3e294

SHA256
4edb2686c037a315a97e5e3c2451e84cc06874f8ce772c9e8073a5c732da4bea

SHA512
c926aaf4f7b2167a935036ea04597a85a3a3c68d13a20cb383464a8d90b47515f1ba47eb6285f3e063cc221b908730877caf4225c6facb91b429436fb79cf90c

Download Submit
C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe
Filesize
359KB

MD5
a5d00f4f2dc2a70f41f9078e954fa3f7

SHA1
66c366e18ad670127108367df79398f524de28c3

SHA256
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73

SHA512
62d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee

Download Submit
C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe
Filesize
359KB

MD5
a5d00f4f2dc2a70f41f9078e954fa3f7

SHA1
66c366e18ad670127108367df79398f524de28c3

SHA256
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73

SHA512
62d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee

Download Submit
\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe
Filesize
359KB

MD5
a5d00f4f2dc2a70f41f9078e954fa3f7

SHA1
66c366e18ad670127108367df79398f524de28c3

SHA256
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73

SHA512
62d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee

Download Submit
\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe
Filesize
359KB

MD5
a5d00f4f2dc2a70f41f9078e954fa3f7

SHA1
66c366e18ad670127108367df79398f524de28c3

SHA256
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73

SHA512
62d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee

Download Submit
memory/604-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/604-64-0x0000000000000000-mapping.dmp

Download
memory/844-60-0x0000000000000000-mapping.dmp

Download
memory/1516-57-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1992-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1992-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1992-55-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads