gozi | 4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a

General

Target

4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll
Size

1.1MB
MD5

3267b8df7235b5333b7ac00059273fc1
SHA1

fb722196edc83de5c147d1bef4eb676d0ff67543
SHA256

4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
SHA512

7c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69pTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4K

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\comsspex = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Acletall\\DfsSspci.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 1712 set thread context of 1288	1712	rundll32.exe	control.exe
PID 1288 set thread context of 1312	1288	control.exe	Explorer.EXE
PID 1288 set thread context of 652	1288	control.exe	rundll32.exe
PID 1312 set thread context of 1256	1312	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

1712 rundll32.exe
1312 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

1712 rundll32.exe
1288 control.exe
1288 control.exe
1312 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE

pid	process
1712	rundll32.exe
1312	Explorer.EXE

pid	process
1712	rundll32.exe
1288	control.exe
1288	control.exe
1312	Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE

pid	process
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1208 wrote to memory of 1712	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1712	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1712	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1712	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1712	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1712	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1712	1208	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 1288	1712	rundll32.exe	control.exe
PID 1712 wrote to memory of 1288	1712	rundll32.exe	control.exe
PID 1712 wrote to memory of 1288	1712	rundll32.exe	control.exe
PID 1712 wrote to memory of 1288	1712	rundll32.exe	control.exe
PID 1712 wrote to memory of 1288	1712	rundll32.exe	control.exe
PID 1712 wrote to memory of 1288	1712	rundll32.exe	control.exe
PID 1712 wrote to memory of 1288	1712	rundll32.exe	control.exe
PID 1288 wrote to memory of 1312	1288	control.exe	Explorer.EXE
PID 1288 wrote to memory of 1312	1288	control.exe	Explorer.EXE
PID 1288 wrote to memory of 1312	1288	control.exe	Explorer.EXE
PID 1288 wrote to memory of 652	1288	control.exe	rundll32.exe
PID 1288 wrote to memory of 652	1288	control.exe	rundll32.exe
PID 1288 wrote to memory of 652	1288	control.exe	rundll32.exe
PID 1288 wrote to memory of 652	1288	control.exe	rundll32.exe
PID 1288 wrote to memory of 652	1288	control.exe	rundll32.exe
PID 1288 wrote to memory of 652	1288	control.exe	rundll32.exe
PID 1312 wrote to memory of 1696	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1696	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1696	1312	Explorer.EXE	cmd.exe
PID 1696 wrote to memory of 1964	1696	cmd.exe	nslookup.exe
PID 1696 wrote to memory of 1964	1696	cmd.exe	nslookup.exe
PID 1696 wrote to memory of 1964	1696	cmd.exe	nslookup.exe
PID 1312 wrote to memory of 1460	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1460	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1460	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1256	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1256	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1256	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1256	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1256	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1256	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1256	1312	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:652

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\3FC4.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1964

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3FC4.bi1"
2⤵
PID:1460

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3FC4.bi1
Filesize
118B

MD5
41a49d1a2a3a8713a12ccf89932d4bb7

SHA1
b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

SHA256
f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

SHA512
1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FC4.bi1
Filesize
118B

MD5
41a49d1a2a3a8713a12ccf89932d4bb7

SHA1
b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

SHA256
f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

SHA512
1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Acletall\DfsSspci.dll
Filesize
1.1MB

MD5
3267b8df7235b5333b7ac00059273fc1

SHA1
fb722196edc83de5c147d1bef4eb676d0ff67543

SHA256
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a

SHA512
7c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487

Download Submit
memory/652-74-0x0000000001B10000-0x0000000001BC4000-memory.dmp

Filesize
720KB

Download
memory/652-72-0x0000000000000000-mapping.dmp

Download
memory/1256-82-0x00000000002E0000-0x0000000000387000-memory.dmp

Filesize
668KB

Download
memory/1256-81-0x0000000000000000-mapping.dmp

Download
memory/1288-73-0x0000000001BD0000-0x0000000001C84000-memory.dmp

Filesize
720KB

Download
memory/1288-67-0x0000000000000000-mapping.dmp

Download
memory/1288-69-0x0000000001BD0000-0x0000000001C84000-memory.dmp

Filesize
720KB

Download
memory/1288-70-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmp

Filesize
8KB

Download
memory/1312-75-0x0000000004CF0000-0x0000000004DA4000-memory.dmp

Filesize
720KB

Download
memory/1460-78-0x0000000000000000-mapping.dmp

Download
memory/1696-76-0x0000000000000000-mapping.dmp

Download
memory/1712-68-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1712-60-0x0000000000150000-0x000000000019B000-memory.dmp

Filesize
300KB

Download
memory/1712-59-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1712-54-0x0000000000000000-mapping.dmp

Download
memory/1712-58-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1712-57-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1712-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1712-55-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1964-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads