gozi | 2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345

General

Target

2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll
Size

1.1MB
MD5

6b4640270bfa9629a0d6eba806873cc5
SHA1

8a8304f960b8e5c6f6e779d9b686d7faddddb764
SHA256

2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345
SHA512

6ca002b90a62dbd2da1ed8b44e1d55973ccf14470c3ed31b4e60db7b13fe11f6a705ca00cf2cfac0de34e9b2634996996a41c2b90cc2cca4c6de881c2a400805
SSDEEP

24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69tTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4+

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://drunt.at

http://news-deck.at

http://taslks.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\devmrole = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Dfscels\\AppIdmrc.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.execontrol.exe

description	pid	process	target process
PID 1108 set thread context of 1756	1108	rundll32.exe	control.exe
PID 1756 set thread context of 1400	1756	control.exe	Explorer.EXE
PID 1756 set thread context of 632	1756	control.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

1108 rundll32.exe
1400 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.execontrol.exe

pid process

1108 rundll32.exe
1756 control.exe
1756 control.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE

pid	process
1108	rundll32.exe
1400	Explorer.EXE

pid	process
1108	rundll32.exe
1756	control.exe
1756	control.exe

pid	process
1400	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.execontrol.exe

description	pid	process	target process
PID 828 wrote to memory of 1108	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 1108	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 1108	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 1108	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 1108	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 1108	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 1108	828	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1756	1108	rundll32.exe	control.exe
PID 1108 wrote to memory of 1756	1108	rundll32.exe	control.exe
PID 1108 wrote to memory of 1756	1108	rundll32.exe	control.exe
PID 1108 wrote to memory of 1756	1108	rundll32.exe	control.exe
PID 1108 wrote to memory of 1756	1108	rundll32.exe	control.exe
PID 1108 wrote to memory of 1756	1108	rundll32.exe	control.exe
PID 1108 wrote to memory of 1756	1108	rundll32.exe	control.exe
PID 1756 wrote to memory of 1400	1756	control.exe	Explorer.EXE
PID 1756 wrote to memory of 1400	1756	control.exe	Explorer.EXE
PID 1756 wrote to memory of 1400	1756	control.exe	Explorer.EXE
PID 1756 wrote to memory of 632	1756	control.exe	rundll32.exe
PID 1756 wrote to memory of 632	1756	control.exe	rundll32.exe
PID 1756 wrote to memory of 632	1756	control.exe	rundll32.exe
PID 1756 wrote to memory of 632	1756	control.exe	rundll32.exe
PID 1756 wrote to memory of 632	1756	control.exe	rundll32.exe
PID 1756 wrote to memory of 632	1756	control.exe	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
5⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Dfscels\AppIdmrc.dll
Filesize
1.1MB

MD5
6b4640270bfa9629a0d6eba806873cc5

SHA1
8a8304f960b8e5c6f6e779d9b686d7faddddb764

SHA256
2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345

SHA512
6ca002b90a62dbd2da1ed8b44e1d55973ccf14470c3ed31b4e60db7b13fe11f6a705ca00cf2cfac0de34e9b2634996996a41c2b90cc2cca4c6de881c2a400805

Download Submit
memory/632-71-0x0000000000000000-mapping.dmp

Download
memory/632-72-0x0000000001D00000-0x0000000001DB4000-memory.dmp

Filesize
720KB

Download
memory/1108-57-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1108-58-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1108-59-0x0000000000180000-0x00000000001CB000-memory.dmp

Filesize
300KB

Download
memory/1108-67-0x0000000010000000-0x0000000010A16000-memory.dmp

Filesize
10.1MB

Download
memory/1108-54-0x0000000000000000-mapping.dmp

Download
memory/1108-56-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1108-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1400-74-0x0000000006480000-0x0000000006534000-memory.dmp

Filesize
720KB

Download
memory/1756-66-0x0000000000000000-mapping.dmp

Download
memory/1756-68-0x00000000000F0000-0x00000000001A4000-memory.dmp

Filesize
720KB

Download
memory/1756-69-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1756-73-0x00000000000F0000-0x00000000001A4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads