gozi | ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

General

Target

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe
Size

361KB
MD5

0f4a6d7ab535e9354fde86800e3b3739
SHA1

76b1f3c52206aa92df7bfe9e0846a07adb700106
SHA256

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea
SHA512

444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60
SSDEEP

6144:4IVQv0y3NRJO22A8oos+W0OBMgxDy1+yAD20GvPYE8a:RVQvBNfORjVOB7xDQ1AD20GXYEZ

Score

10^/10

gozi 1010 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 1 IoCs

Processes:

Authbk32.exe

pid process

4824 Authbk32.exe

pid	process
4824	Authbk32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bitssvcs = "C:\\Users\\Admin\\AppData\\Roaming\\AppVider\\Authbk32.exe"	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

404 4824 WerFault.exe Authbk32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Authbk32.exe

pid process

4824 Authbk32.exe
4824 Authbk32.exe

pid	pid_target	process	target process
404	4824	WerFault.exe	Authbk32.exe

pid	process
4824	Authbk32.exe
4824	Authbk32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.execmd.execmd.exeAuthbk32.exe

description	pid	process	target process
PID 2148 wrote to memory of 2488	2148	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe	cmd.exe
PID 2148 wrote to memory of 2488	2148	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe	cmd.exe
PID 2148 wrote to memory of 2488	2148	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe	cmd.exe
PID 2488 wrote to memory of 4108	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 4108	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 4108	2488	cmd.exe	cmd.exe
PID 4108 wrote to memory of 4824	4108	cmd.exe	Authbk32.exe
PID 4108 wrote to memory of 4824	4108	cmd.exe	Authbk32.exe
PID 4108 wrote to memory of 4824	4108	cmd.exe	Authbk32.exe
PID 4824 wrote to memory of 3544	4824	Authbk32.exe	svchost.exe
PID 4824 wrote to memory of 3544	4824	Authbk32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe
"C:\Users\Admin\AppData\Local\Temp\ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B606\DB13.bat" "C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe
"C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 584
5⤵
- Program crash
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4824 -ip 4824
1⤵
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B606\DB13.bat
Filesize
112B

MD5
b7ebdc609e15cfcc90ac7305c5bc9323

SHA1
3ec613d518af880289b5950226b06c308261b6ea

SHA256
6bc46da3c5e3a567a743e66c2b46a041fd1490608fca08caa941d4139af2f050

SHA512
d707608b0447ac0ab756a276d5a888b6ed1049925967abde5b2cfa0ad39e4b0af2a595636351ac91ceeed30377e0240f4848ae1f1f307ff5df912b76dfe6ddd2

Download Submit
C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe
Filesize
361KB

MD5
0f4a6d7ab535e9354fde86800e3b3739

SHA1
76b1f3c52206aa92df7bfe9e0846a07adb700106

SHA256
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

SHA512
444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

Download Submit
C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe
Filesize
361KB

MD5
0f4a6d7ab535e9354fde86800e3b3739

SHA1
76b1f3c52206aa92df7bfe9e0846a07adb700106

SHA256
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

SHA512
444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

Download Submit
memory/2148-132-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2148-134-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/2488-135-0x0000000000000000-mapping.dmp

Download
memory/4108-137-0x0000000000000000-mapping.dmp

Download
memory/4824-138-0x0000000000000000-mapping.dmp

Download
memory/4824-141-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-143-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads