gozi | 39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857

General

Target

39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll
Size

1.1MB
MD5

eca15499ba78aa5aaf8d3ad2311ec097
SHA1

d30a04f76ad83f643342238411e5aebaef0b3442
SHA256

39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857
SHA512

2f34444ea9504a26bbba3748723737766f51cb83d94df375b15e423492424d50f4cc5b80ad8524f023e38cd5de6faf42b47b4f4b21de0386bc7154ccd21807bf
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69vTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4s

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmdsupnp = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\D3d8roxy\\authvoas.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.execontrol.exe

description	pid	process	target process
PID 1520 set thread context of 1068	1520	rundll32.exe	control.exe
PID 1068 set thread context of 1284	1068	control.exe	Explorer.EXE
PID 1068 set thread context of 1772	1068	control.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

1520 rundll32.exe
1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.execontrol.exe

pid process

1520 rundll32.exe
1068 control.exe
1068 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE

pid	process
1520	rundll32.exe
1284	Explorer.EXE

pid	process
1520	rundll32.exe
1068	control.exe
1068	control.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.execontrol.exe

description	pid	process	target process
PID 792 wrote to memory of 1520	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 1520	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 1520	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 1520	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 1520	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 1520	792	rundll32.exe	rundll32.exe
PID 792 wrote to memory of 1520	792	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1068	1520	rundll32.exe	control.exe
PID 1520 wrote to memory of 1068	1520	rundll32.exe	control.exe
PID 1520 wrote to memory of 1068	1520	rundll32.exe	control.exe
PID 1520 wrote to memory of 1068	1520	rundll32.exe	control.exe
PID 1520 wrote to memory of 1068	1520	rundll32.exe	control.exe
PID 1520 wrote to memory of 1068	1520	rundll32.exe	control.exe
PID 1520 wrote to memory of 1068	1520	rundll32.exe	control.exe
PID 1068 wrote to memory of 1284	1068	control.exe	Explorer.EXE
PID 1068 wrote to memory of 1284	1068	control.exe	Explorer.EXE
PID 1068 wrote to memory of 1284	1068	control.exe	Explorer.EXE
PID 1068 wrote to memory of 1772	1068	control.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	control.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	control.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	control.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	control.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	control.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
4⤵
PID:1772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\D3d8roxy\authvoas.dll
Filesize
1.1MB

MD5
eca15499ba78aa5aaf8d3ad2311ec097

SHA1
d30a04f76ad83f643342238411e5aebaef0b3442

SHA256
39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857

SHA512
2f34444ea9504a26bbba3748723737766f51cb83d94df375b15e423492424d50f4cc5b80ad8524f023e38cd5de6faf42b47b4f4b21de0386bc7154ccd21807bf

Download Submit
memory/1068-67-0x0000000000000000-mapping.dmp

Download
memory/1068-75-0x0000000001BA0000-0x0000000001C54000-memory.dmp

Filesize
720KB

Download
memory/1068-70-0x000007FEFC131000-0x000007FEFC133000-memory.dmp

Filesize
8KB

Download
memory/1068-68-0x0000000001BA0000-0x0000000001C54000-memory.dmp

Filesize
720KB

Download
memory/1284-76-0x0000000006550000-0x0000000006604000-memory.dmp

Filesize
720KB

Download
memory/1284-71-0x0000000006550000-0x0000000006604000-memory.dmp

Filesize
720KB

Download
memory/1520-58-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1520-60-0x0000000000210000-0x000000000025B000-memory.dmp

Filesize
300KB

Download
memory/1520-69-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1520-59-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1520-54-0x0000000000000000-mapping.dmp

Download
memory/1520-57-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1520-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1520-55-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1772-72-0x0000000000000000-mapping.dmp

Download
memory/1772-74-0x0000000001AA0000-0x0000000001B54000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads