gozi | 4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a

General

Target

4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll
Size

1.1MB
MD5

3267b8df7235b5333b7ac00059273fc1
SHA1

fb722196edc83de5c147d1bef4eb676d0ff67543
SHA256

4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
SHA512

7c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69pTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4K

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfmirces = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Charwork\\clict3ui.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 3888 set thread context of 5008	3888	rundll32.exe	control.exe
PID 5008 set thread context of 2620	5008	control.exe	Explorer.EXE
PID 5008 set thread context of 3288	5008	control.exe	rundll32.exe
PID 2620 set thread context of 3432	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 set thread context of 3652	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 set thread context of 3376	2620	Explorer.EXE	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

3888 rundll32.exe
3888 rundll32.exe
2620 Explorer.EXE
2620 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2620 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

3888 rundll32.exe
5008 control.exe
5008 control.exe
2620 Explorer.EXE
2620 Explorer.EXE
2620 Explorer.EXE

pid	process
3888	rundll32.exe
3888	rundll32.exe
2620	Explorer.EXE
2620	Explorer.EXE

pid	process
2620	Explorer.EXE

pid	process
3888	rundll32.exe
5008	control.exe
5008	control.exe
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	2620	Explorer.EXE
Token: SeCreatePagefilePrivilege	2620	Explorer.EXE
Token: SeShutdownPrivilege	3432	RuntimeBroker.exe
Token: SeShutdownPrivilege	2620	Explorer.EXE
Token: SeCreatePagefilePrivilege	2620	Explorer.EXE
Token: SeShutdownPrivilege	3432	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2620 Explorer.EXE

pid	process
2620	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4832 wrote to memory of 3888	4832	rundll32.exe	rundll32.exe
PID 4832 wrote to memory of 3888	4832	rundll32.exe	rundll32.exe
PID 4832 wrote to memory of 3888	4832	rundll32.exe	rundll32.exe
PID 3888 wrote to memory of 5008	3888	rundll32.exe	control.exe
PID 3888 wrote to memory of 5008	3888	rundll32.exe	control.exe
PID 3888 wrote to memory of 5008	3888	rundll32.exe	control.exe
PID 3888 wrote to memory of 5008	3888	rundll32.exe	control.exe
PID 3888 wrote to memory of 5008	3888	rundll32.exe	control.exe
PID 5008 wrote to memory of 2620	5008	control.exe	Explorer.EXE
PID 5008 wrote to memory of 2620	5008	control.exe	Explorer.EXE
PID 5008 wrote to memory of 2620	5008	control.exe	Explorer.EXE
PID 5008 wrote to memory of 3288	5008	control.exe	rundll32.exe
PID 5008 wrote to memory of 3288	5008	control.exe	rundll32.exe
PID 5008 wrote to memory of 3288	5008	control.exe	rundll32.exe
PID 5008 wrote to memory of 3288	5008	control.exe	rundll32.exe
PID 5008 wrote to memory of 3288	5008	control.exe	rundll32.exe
PID 2620 wrote to memory of 3432	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 wrote to memory of 3432	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 wrote to memory of 3432	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 wrote to memory of 3652	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 wrote to memory of 3652	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 wrote to memory of 3652	2620	Explorer.EXE	RuntimeBroker.exe
PID 2620 wrote to memory of 4408	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 4408	2620	Explorer.EXE	cmd.exe
PID 4408 wrote to memory of 1880	4408	cmd.exe	nslookup.exe
PID 4408 wrote to memory of 1880	4408	cmd.exe	nslookup.exe
PID 2620 wrote to memory of 2492	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 2492	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 3376	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 3376	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 3376	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 3376	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 3376	2620	Explorer.EXE	cmd.exe
PID 2620 wrote to memory of 3376	2620	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3652

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:3288

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6467.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1880

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6467.bi1"
2⤵
PID:2492

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6467.bi1
Filesize
118B

MD5
41a49d1a2a3a8713a12ccf89932d4bb7

SHA1
b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

SHA256
f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

SHA512
1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6467.bi1
Filesize
118B

MD5
41a49d1a2a3a8713a12ccf89932d4bb7

SHA1
b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

SHA256
f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

SHA512
1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Charwork\clict3ui.dll
Filesize
1.1MB

MD5
3267b8df7235b5333b7ac00059273fc1

SHA1
fb722196edc83de5c147d1bef4eb676d0ff67543

SHA256
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a

SHA512
7c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487

Download Submit
memory/1880-156-0x0000000000000000-mapping.dmp

Download
memory/2492-157-0x0000000000000000-mapping.dmp

Download
memory/2620-147-0x00000000032F0000-0x00000000033A4000-memory.dmp

Filesize
720KB

Download
memory/2620-152-0x00000000032F0000-0x00000000033A4000-memory.dmp

Filesize
720KB

Download
memory/3288-150-0x00000238311C0000-0x0000023831274000-memory.dmp

Filesize
720KB

Download
memory/3288-148-0x0000000000000000-mapping.dmp

Download
memory/3376-161-0x0000000000636B20-0x0000000000636B24-memory.dmp

Filesize
4B

Download
memory/3376-163-0x0000000001140000-0x00000000011E7000-memory.dmp

Filesize
668KB

Download
memory/3376-160-0x0000000000000000-mapping.dmp

Download
memory/3376-162-0x0000000001140000-0x00000000011E7000-memory.dmp

Filesize
668KB

Download
memory/3432-153-0x0000022653450000-0x0000022653504000-memory.dmp

Filesize
720KB

Download
memory/3652-154-0x00000266B7F30000-0x00000266B7FE4000-memory.dmp

Filesize
720KB

Download
memory/3888-146-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/3888-132-0x0000000000000000-mapping.dmp

Download
memory/3888-137-0x0000000000C40000-0x0000000000C8B000-memory.dmp

Filesize
300KB

Download
memory/3888-136-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/3888-135-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/3888-134-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/3888-133-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4408-155-0x0000000000000000-mapping.dmp

Download
memory/5008-144-0x0000000000000000-mapping.dmp

Download
memory/5008-151-0x0000000000B90000-0x0000000000C44000-memory.dmp

Filesize
720KB

Download
memory/5008-145-0x0000000000B90000-0x0000000000C44000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads