gozi | 4f8369b4b67d45b7edf0ad022996a4bad6e49659bf873b7ea6425e37f5bdc15d

General

Target

4f8369b4b67d45b7edf0ad022996a4bad6e49659bf873b7ea6425e37f5bdc15d.dll
Size

1.1MB
MD5

ce3caf597b8033e4b6f9ca4dcf358c96
SHA1

33572e4206dda16fb00cc76be3e322e8f536b39a
SHA256

4f8369b4b67d45b7edf0ad022996a4bad6e49659bf873b7ea6425e37f5bdc15d
SHA512

4b8fd2700a6e3a3ff2f52bbc61a61d15f5069e0177d42335d03e30aa1654ea74e1d92ab6b686bba2fbb7c742a6dc12d92c23f23f98620d13f171b603048a22ad
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69yTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4h

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\brdgport = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Appitcls\\advpgmts.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.execontrol.exe

description	pid	process	target process
PID 548 set thread context of 456	548	rundll32.exe	control.exe
PID 456 set thread context of 1380	456	control.exe	Explorer.EXE
PID 456 set thread context of 1992	456	control.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

548 rundll32.exe
1380 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.execontrol.exe

pid process

548 rundll32.exe
456 control.exe
456 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE

pid	process
548	rundll32.exe
1380	Explorer.EXE

pid	process
548	rundll32.exe
456	control.exe
456	control.exe

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.execontrol.exe

description	pid	process	target process
PID 864 wrote to memory of 548	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 548	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 548	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 548	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 548	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 548	864	rundll32.exe	rundll32.exe
PID 864 wrote to memory of 548	864	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 456	548	rundll32.exe	control.exe
PID 548 wrote to memory of 456	548	rundll32.exe	control.exe
PID 548 wrote to memory of 456	548	rundll32.exe	control.exe
PID 548 wrote to memory of 456	548	rundll32.exe	control.exe
PID 548 wrote to memory of 456	548	rundll32.exe	control.exe
PID 548 wrote to memory of 456	548	rundll32.exe	control.exe
PID 548 wrote to memory of 456	548	rundll32.exe	control.exe
PID 456 wrote to memory of 1380	456	control.exe	Explorer.EXE
PID 456 wrote to memory of 1380	456	control.exe	Explorer.EXE
PID 456 wrote to memory of 1380	456	control.exe	Explorer.EXE
PID 456 wrote to memory of 1992	456	control.exe	rundll32.exe
PID 456 wrote to memory of 1992	456	control.exe	rundll32.exe
PID 456 wrote to memory of 1992	456	control.exe	rundll32.exe
PID 456 wrote to memory of 1992	456	control.exe	rundll32.exe
PID 456 wrote to memory of 1992	456	control.exe	rundll32.exe
PID 456 wrote to memory of 1992	456	control.exe	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f8369b4b67d45b7edf0ad022996a4bad6e49659bf873b7ea6425e37f5bdc15d.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f8369b4b67d45b7edf0ad022996a4bad6e49659bf873b7ea6425e37f5bdc15d.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Appitcls\advpgmts.dll
Filesize
1.1MB

MD5
ce3caf597b8033e4b6f9ca4dcf358c96

SHA1
33572e4206dda16fb00cc76be3e322e8f536b39a

SHA256
4f8369b4b67d45b7edf0ad022996a4bad6e49659bf873b7ea6425e37f5bdc15d

SHA512
4b8fd2700a6e3a3ff2f52bbc61a61d15f5069e0177d42335d03e30aa1654ea74e1d92ab6b686bba2fbb7c742a6dc12d92c23f23f98620d13f171b603048a22ad

Download Submit
memory/456-67-0x0000000000000000-mapping.dmp

Download
memory/456-75-0x0000000001B80000-0x0000000001C34000-memory.dmp

Filesize
720KB

Download
memory/456-73-0x0000000001B80000-0x0000000001C34000-memory.dmp

Filesize
720KB

Download
memory/456-69-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/548-68-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/548-60-0x0000000000200000-0x000000000024B000-memory.dmp

Filesize
300KB

Download
memory/548-59-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/548-54-0x0000000000000000-mapping.dmp

Download
memory/548-58-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/548-57-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/548-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/548-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1380-72-0x0000000004DE0000-0x0000000004E94000-memory.dmp

Filesize
720KB

Download
memory/1992-71-0x0000000000000000-mapping.dmp

Download
memory/1992-74-0x00000000004A0000-0x0000000000554000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads