gozi | 68c432acf13a91be7865621d5e6300da18d0c1d89589fbccb58b370df1aecf34

General

Target

68c432acf13a91be7865621d5e6300da18d0c1d89589fbccb58b370df1aecf34.dll
Size

1.1MB
MD5

a5e27d0d90056b98056cc8119eee25cf
SHA1

f1cb8b468cd6947785594ef4de17d18afe24b3af
SHA256

68c432acf13a91be7865621d5e6300da18d0c1d89589fbccb58b370df1aecf34
SHA512

e6cf0edaf9c0c3a8caa8eff1bc43ab993f51de2890b4764c1839086ab26cb45a7f23a75cafc7562135551cf3a279938e083ab6f6130e3688c29d4e5aa2abdd57
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69ZTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4a

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Certsadu = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Dmocsenh\\blbrroxy.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 1104 set thread context of 2044	1104	rundll32.exe	control.exe
PID 2044 set thread context of 1212	2044	control.exe	Explorer.EXE
PID 2044 set thread context of 1028	2044	control.exe	rundll32.exe
PID 1212 set thread context of 1988	1212	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

1104 rundll32.exe
1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

1104 rundll32.exe
2044 control.exe
2044 control.exe
1212 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE

pid	process
1104	rundll32.exe
1212	Explorer.EXE

pid	process
1104	rundll32.exe
2044	control.exe
2044	control.exe
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1104	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1104	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1104	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1104	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1104	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1104	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1104	1976	rundll32.exe	rundll32.exe
PID 1104 wrote to memory of 2044	1104	rundll32.exe	control.exe
PID 1104 wrote to memory of 2044	1104	rundll32.exe	control.exe
PID 1104 wrote to memory of 2044	1104	rundll32.exe	control.exe
PID 1104 wrote to memory of 2044	1104	rundll32.exe	control.exe
PID 1104 wrote to memory of 2044	1104	rundll32.exe	control.exe
PID 1104 wrote to memory of 2044	1104	rundll32.exe	control.exe
PID 1104 wrote to memory of 2044	1104	rundll32.exe	control.exe
PID 2044 wrote to memory of 1212	2044	control.exe	Explorer.EXE
PID 2044 wrote to memory of 1212	2044	control.exe	Explorer.EXE
PID 2044 wrote to memory of 1212	2044	control.exe	Explorer.EXE
PID 2044 wrote to memory of 1028	2044	control.exe	rundll32.exe
PID 2044 wrote to memory of 1028	2044	control.exe	rundll32.exe
PID 2044 wrote to memory of 1028	2044	control.exe	rundll32.exe
PID 2044 wrote to memory of 1028	2044	control.exe	rundll32.exe
PID 2044 wrote to memory of 1028	2044	control.exe	rundll32.exe
PID 2044 wrote to memory of 1028	2044	control.exe	rundll32.exe
PID 1212 wrote to memory of 276	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 276	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 276	1212	Explorer.EXE	cmd.exe
PID 276 wrote to memory of 1308	276	cmd.exe	nslookup.exe
PID 276 wrote to memory of 1308	276	cmd.exe	nslookup.exe
PID 276 wrote to memory of 1308	276	cmd.exe	nslookup.exe
PID 1212 wrote to memory of 1324	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1324	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1324	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1988	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1988	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1988	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1988	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1988	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1988	1212	Explorer.EXE	cmd.exe
PID 1212 wrote to memory of 1988	1212	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68c432acf13a91be7865621d5e6300da18d0c1d89589fbccb58b370df1aecf34.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68c432acf13a91be7865621d5e6300da18d0c1d89589fbccb58b370df1aecf34.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:1028

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\93EC.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1308

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\93EC.bi1"
2⤵
PID:1324

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93EC.bi1
Filesize
118B

MD5
41a49d1a2a3a8713a12ccf89932d4bb7

SHA1
b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

SHA256
f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

SHA512
1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\93EC.bi1
Filesize
118B

MD5
41a49d1a2a3a8713a12ccf89932d4bb7

SHA1
b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

SHA256
f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

SHA512
1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Dmocsenh\blbrroxy.dll
Filesize
1.1MB

MD5
a5e27d0d90056b98056cc8119eee25cf

SHA1
f1cb8b468cd6947785594ef4de17d18afe24b3af

SHA256
68c432acf13a91be7865621d5e6300da18d0c1d89589fbccb58b370df1aecf34

SHA512
e6cf0edaf9c0c3a8caa8eff1bc43ab993f51de2890b4764c1839086ab26cb45a7f23a75cafc7562135551cf3a279938e083ab6f6130e3688c29d4e5aa2abdd57

Download Submit
memory/276-75-0x0000000000000000-mapping.dmp

Download
memory/1028-71-0x0000000000000000-mapping.dmp

Download
memory/1028-72-0x0000000001CB0000-0x0000000001D64000-memory.dmp

Filesize
720KB

Download
memory/1104-57-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1104-55-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1104-67-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1104-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1104-59-0x00000000003B0000-0x00000000003FB000-memory.dmp

Filesize
300KB

Download
memory/1104-54-0x0000000000000000-mapping.dmp

Download
memory/1104-58-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1212-74-0x0000000003C70000-0x0000000003D24000-memory.dmp

Filesize
720KB

Download
memory/1308-76-0x0000000000000000-mapping.dmp

Download
memory/1324-77-0x0000000000000000-mapping.dmp

Download
memory/1988-80-0x0000000000000000-mapping.dmp

Download
memory/1988-81-0x0000000000270000-0x0000000000317000-memory.dmp

Filesize
668KB

Download
memory/2044-73-0x00000000003A0000-0x0000000000454000-memory.dmp

Filesize
720KB

Download
memory/2044-69-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/2044-68-0x00000000003A0000-0x0000000000454000-memory.dmp

Filesize
720KB

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads