gozi | 33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a

General

Target

33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a.dll
Size

1.1MB
MD5

a8d1899b7942eecddb5a18b0f6b509df
SHA1

342cdb7f538fd2213ad33f673433bafba85c4b4b
SHA256

33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a
SHA512

924682746c7185b9852d226f63c5082d023865f0a3c293569eef100f7c60df9f5bcb848a3ae8cf52d7d16f0059c936f725622574190ba89f7654c304a4687068
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69vTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4c

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfscels = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Blb_aext\\dmutslad.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.execontrol.exe

description	pid	process	target process
PID 916 set thread context of 1236	916	rundll32.exe	control.exe
PID 1236 set thread context of 1284	1236	control.exe	Explorer.EXE
PID 1236 set thread context of 1340	1236	control.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

916 rundll32.exe
1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.execontrol.exe

pid process

916 rundll32.exe
1236 control.exe
1236 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE

pid	process
916	rundll32.exe
1284	Explorer.EXE

pid	process
916	rundll32.exe
1236	control.exe
1236	control.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.execontrol.exe

description	pid	process	target process
PID 880 wrote to memory of 916	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 916	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 916	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 916	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 916	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 916	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 916	880	rundll32.exe	rundll32.exe
PID 916 wrote to memory of 1236	916	rundll32.exe	control.exe
PID 916 wrote to memory of 1236	916	rundll32.exe	control.exe
PID 916 wrote to memory of 1236	916	rundll32.exe	control.exe
PID 916 wrote to memory of 1236	916	rundll32.exe	control.exe
PID 916 wrote to memory of 1236	916	rundll32.exe	control.exe
PID 916 wrote to memory of 1236	916	rundll32.exe	control.exe
PID 916 wrote to memory of 1236	916	rundll32.exe	control.exe
PID 1236 wrote to memory of 1284	1236	control.exe	Explorer.EXE
PID 1236 wrote to memory of 1284	1236	control.exe	Explorer.EXE
PID 1236 wrote to memory of 1284	1236	control.exe	Explorer.EXE
PID 1236 wrote to memory of 1340	1236	control.exe	rundll32.exe
PID 1236 wrote to memory of 1340	1236	control.exe	rundll32.exe
PID 1236 wrote to memory of 1340	1236	control.exe	rundll32.exe
PID 1236 wrote to memory of 1340	1236	control.exe	rundll32.exe
PID 1236 wrote to memory of 1340	1236	control.exe	rundll32.exe
PID 1236 wrote to memory of 1340	1236	control.exe	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Blb_aext\dmutslad.dll
Filesize
1.1MB

MD5
a8d1899b7942eecddb5a18b0f6b509df

SHA1
342cdb7f538fd2213ad33f673433bafba85c4b4b

SHA256
33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a

SHA512
924682746c7185b9852d226f63c5082d023865f0a3c293569eef100f7c60df9f5bcb848a3ae8cf52d7d16f0059c936f725622574190ba89f7654c304a4687068

Download Submit
memory/916-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/916-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/916-57-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/916-58-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/916-59-0x0000000000170000-0x00000000001BB000-memory.dmp

Filesize
300KB

Download
memory/916-54-0x0000000000000000-mapping.dmp

Download
memory/916-67-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1236-66-0x0000000000000000-mapping.dmp

Download
memory/1236-69-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1236-68-0x00000000002A0000-0x0000000000354000-memory.dmp

Filesize
720KB

Download
memory/1236-73-0x00000000002A0000-0x0000000000354000-memory.dmp

Filesize
720KB

Download
memory/1284-74-0x00000000049A0000-0x0000000004A54000-memory.dmp

Filesize
720KB

Download
memory/1340-71-0x0000000000000000-mapping.dmp

Download
memory/1340-72-0x0000000001B10000-0x0000000001BC4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads