gozi | 39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857

General

Target

39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll
Size

1.1MB
MD5

eca15499ba78aa5aaf8d3ad2311ec097
SHA1

d30a04f76ad83f643342238411e5aebaef0b3442
SHA256

39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857
SHA512

2f34444ea9504a26bbba3748723737766f51cb83d94df375b15e423492424d50f4cc5b80ad8524f023e38cd5de6faf42b47b4f4b21de0386bc7154ccd21807bf
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69vTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4s

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dhcptCSP = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Adsnuery\\altsCore.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 7 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 1852 set thread context of 4336	1852	rundll32.exe	control.exe
PID 4336 set thread context of 2096	4336	control.exe	Explorer.EXE
PID 2096 set thread context of 3456	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 set thread context of 3808	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 set thread context of 4716	2096	Explorer.EXE	RuntimeBroker.exe
PID 4336 set thread context of 4804	4336	control.exe	rundll32.exe
PID 2096 set thread context of 2640	2096	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

1852 rundll32.exe
1852 rundll32.exe
2096 Explorer.EXE
2096 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2096 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

1852 rundll32.exe
4336 control.exe
2096 Explorer.EXE
2096 Explorer.EXE
2096 Explorer.EXE
4336 control.exe
2096 Explorer.EXE

pid	process
1852	rundll32.exe
1852	rundll32.exe
2096	Explorer.EXE
2096	Explorer.EXE

pid	process
2096	Explorer.EXE

pid	process
1852	rundll32.exe
4336	control.exe
2096	Explorer.EXE
2096	Explorer.EXE
2096	Explorer.EXE
4336	control.exe
2096	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	3456	RuntimeBroker.exe
Token: SeShutdownPrivilege	3456	RuntimeBroker.exe
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE
Token: SeShutdownPrivilege	2096	Explorer.EXE
Token: SeCreatePagefilePrivilege	2096	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2096 Explorer.EXE

pid	process
2096	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2176 wrote to memory of 1852	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 1852	2176	rundll32.exe	rundll32.exe
PID 2176 wrote to memory of 1852	2176	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 4336	1852	rundll32.exe	control.exe
PID 1852 wrote to memory of 4336	1852	rundll32.exe	control.exe
PID 1852 wrote to memory of 4336	1852	rundll32.exe	control.exe
PID 1852 wrote to memory of 4336	1852	rundll32.exe	control.exe
PID 1852 wrote to memory of 4336	1852	rundll32.exe	control.exe
PID 4336 wrote to memory of 2096	4336	control.exe	Explorer.EXE
PID 4336 wrote to memory of 2096	4336	control.exe	Explorer.EXE
PID 4336 wrote to memory of 2096	4336	control.exe	Explorer.EXE
PID 2096 wrote to memory of 3456	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 wrote to memory of 3456	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 wrote to memory of 3456	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 wrote to memory of 3808	2096	Explorer.EXE	RuntimeBroker.exe
PID 4336 wrote to memory of 4804	4336	control.exe	rundll32.exe
PID 4336 wrote to memory of 4804	4336	control.exe	rundll32.exe
PID 4336 wrote to memory of 4804	4336	control.exe	rundll32.exe
PID 2096 wrote to memory of 3808	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 wrote to memory of 3808	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 wrote to memory of 4716	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 wrote to memory of 4716	2096	Explorer.EXE	RuntimeBroker.exe
PID 2096 wrote to memory of 4716	2096	Explorer.EXE	RuntimeBroker.exe
PID 4336 wrote to memory of 4804	4336	control.exe	rundll32.exe
PID 4336 wrote to memory of 4804	4336	control.exe	rundll32.exe
PID 2096 wrote to memory of 2760	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 2760	2096	Explorer.EXE	cmd.exe
PID 2760 wrote to memory of 3532	2760	cmd.exe	nslookup.exe
PID 2760 wrote to memory of 3532	2760	cmd.exe	nslookup.exe
PID 2096 wrote to memory of 64	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 64	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 2640	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 2640	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 2640	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 2640	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 2640	2096	Explorer.EXE	cmd.exe
PID 2096 wrote to memory of 2640	2096	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:4804

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\EB74.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:3532

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EB74.bi1"
2⤵
PID:64

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EB74.bi1
Filesize
71B

MD5
1792be16e4b67d0f9ff430d4fce9e72b

SHA1
3f45cc3c374a72426471fe0095b54b4f4b48395f

SHA256
5a65f4bcc907ae201e795219a5b65a43ee1dae209cca2f9c50112050716febde

SHA512
b16ed0ebbfa66afc005ef5b011ebb502c710b78f832219bbda73b0db00898b23d70d096db80a73b68633c895490d1263743c52b88291875e007971e8249d347b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB74.bi1
Filesize
82B

MD5
1616f65c811cb62cf00f17c94a9cbc04

SHA1
b2867938a622ebae050e450053d546bfac2010c7

SHA256
3b34c69e292128649217b26b9de9d75fe2c285d82773a37e100d9ad4db5fb256

SHA512
88c58f437c198e113f038e90311894bdf03b06ae6bff28f9c4242b51655f8bb8de15f237aa45fb9e730dab70ebc34c9e9c635f32702626b729dd4a6aa92c78ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Adsnuery\altsCore.dll
Filesize
1.1MB

MD5
eca15499ba78aa5aaf8d3ad2311ec097

SHA1
d30a04f76ad83f643342238411e5aebaef0b3442

SHA256
39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857

SHA512
2f34444ea9504a26bbba3748723737766f51cb83d94df375b15e423492424d50f4cc5b80ad8524f023e38cd5de6faf42b47b4f4b21de0386bc7154ccd21807bf

Download Submit
memory/64-161-0x0000000000000000-mapping.dmp

Download
memory/1852-132-0x0000000000000000-mapping.dmp

Download
memory/1852-133-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1852-134-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1852-135-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1852-136-0x0000000000740000-0x000000000078B000-memory.dmp

Filesize
300KB

Download
memory/1852-144-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/2096-168-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2096-157-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-169-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2096-173-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2096-146-0x00000000071B0000-0x0000000007264000-memory.dmp

Filesize
720KB

Download
memory/2096-167-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2096-154-0x00000000071B0000-0x0000000007264000-memory.dmp

Filesize
720KB

Download
memory/2096-172-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2096-171-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2096-170-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2096-158-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2096-159-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2096-160-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2640-166-0x00000000006A0000-0x0000000000747000-memory.dmp

Filesize
668KB

Download
memory/2640-164-0x0000000000000000-mapping.dmp

Download
memory/2640-165-0x00000000007A6B20-0x00000000007A6B24-memory.dmp

Filesize
4B

Download
memory/2760-155-0x0000000000000000-mapping.dmp

Download
memory/3456-151-0x0000018A56BC0000-0x0000018A56C74000-memory.dmp

Filesize
720KB

Download
memory/3532-156-0x0000000000000000-mapping.dmp

Download
memory/3808-152-0x000001990E380000-0x000001990E434000-memory.dmp

Filesize
720KB

Download
memory/4336-150-0x00000000004A0000-0x0000000000554000-memory.dmp

Filesize
720KB

Download
memory/4336-147-0x00000000004A0000-0x0000000000554000-memory.dmp

Filesize
720KB

Download
memory/4336-143-0x0000000000000000-mapping.dmp

Download
memory/4716-153-0x00000191844E0000-0x0000019184594000-memory.dmp

Filesize
720KB

Download
memory/4804-149-0x0000025B8F370000-0x0000025B8F424000-memory.dmp

Filesize
720KB

Download
memory/4804-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads