gozi | b1f34b40964b4108d8bd6be65cb8e0abd746ae6cf45730b2e0f9ddffc6070c9a

General

Target

b1f34b40964b4108d8bd6be65cb8e0abd746ae6cf45730b2e0f9ddffc6070c9a.dll
Size

1.1MB
MD5

a7af472527c6c611daceff4959cbd9e7
SHA1

f94ef7012565e6238c53c85432bd2896afe4dd2d
SHA256

b1f34b40964b4108d8bd6be65cb8e0abd746ae6cf45730b2e0f9ddffc6070c9a
SHA512

f7132c7240bcaf498b9a5c7efe08b5b1796bf17a6730dec8e3f029a5cdc733ab3a0b409b6d8d3e52fb2c03267159337ed6c4551260ec6d43c8dc71e7c554b2bf
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69iTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4x

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\devmrole = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Dfscels\\AppIdmrc.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.execontrol.exe

description	pid	process	target process
PID 956 set thread context of 560	956	rundll32.exe	control.exe
PID 560 set thread context of 1220	560	control.exe	Explorer.EXE
PID 560 set thread context of 1524	560	control.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

956 rundll32.exe
1220 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.execontrol.exe

pid process

956 rundll32.exe
560 control.exe
560 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE

pid	process
956	rundll32.exe
1220	Explorer.EXE

pid	process
956	rundll32.exe
560	control.exe
560	control.exe

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.execontrol.exe

description	pid	process	target process
PID 2016 wrote to memory of 956	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 956	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 956	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 956	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 956	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 956	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 956	2016	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 560	956	rundll32.exe	control.exe
PID 956 wrote to memory of 560	956	rundll32.exe	control.exe
PID 956 wrote to memory of 560	956	rundll32.exe	control.exe
PID 956 wrote to memory of 560	956	rundll32.exe	control.exe
PID 956 wrote to memory of 560	956	rundll32.exe	control.exe
PID 956 wrote to memory of 560	956	rundll32.exe	control.exe
PID 956 wrote to memory of 560	956	rundll32.exe	control.exe
PID 560 wrote to memory of 1220	560	control.exe	Explorer.EXE
PID 560 wrote to memory of 1220	560	control.exe	Explorer.EXE
PID 560 wrote to memory of 1220	560	control.exe	Explorer.EXE
PID 560 wrote to memory of 1524	560	control.exe	rundll32.exe
PID 560 wrote to memory of 1524	560	control.exe	rundll32.exe
PID 560 wrote to memory of 1524	560	control.exe	rundll32.exe
PID 560 wrote to memory of 1524	560	control.exe	rundll32.exe
PID 560 wrote to memory of 1524	560	control.exe	rundll32.exe
PID 560 wrote to memory of 1524	560	control.exe	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1f34b40964b4108d8bd6be65cb8e0abd746ae6cf45730b2e0f9ddffc6070c9a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1f34b40964b4108d8bd6be65cb8e0abd746ae6cf45730b2e0f9ddffc6070c9a.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Dfscels\AppIdmrc.dll
Filesize
1.1MB

MD5
a7af472527c6c611daceff4959cbd9e7

SHA1
f94ef7012565e6238c53c85432bd2896afe4dd2d

SHA256
b1f34b40964b4108d8bd6be65cb8e0abd746ae6cf45730b2e0f9ddffc6070c9a

SHA512
f7132c7240bcaf498b9a5c7efe08b5b1796bf17a6730dec8e3f029a5cdc733ab3a0b409b6d8d3e52fb2c03267159337ed6c4551260ec6d43c8dc71e7c554b2bf

Download Submit
memory/560-69-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/560-66-0x0000000000000000-mapping.dmp

Download
memory/560-73-0x0000000001B80000-0x0000000001C34000-memory.dmp

Filesize
720KB

Download
memory/560-68-0x0000000001B80000-0x0000000001C34000-memory.dmp

Filesize
720KB

Download
memory/956-59-0x00000000001C0000-0x000000000020B000-memory.dmp

Filesize
300KB

Download
memory/956-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/956-67-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/956-58-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/956-54-0x0000000000000000-mapping.dmp

Download
memory/956-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/956-57-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1220-74-0x0000000004B10000-0x0000000004BC4000-memory.dmp

Filesize
720KB

Download
memory/1524-71-0x0000000000000000-mapping.dmp

Download
memory/1524-72-0x0000000000350000-0x0000000000404000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads