gozi | 84b16227e05b966470c3624cc9129296d73b96c11c90ff5d02a6aea8ab196b9e

General

Target

0196aa6b6e09389e94acafba9049fe5f.dll
Size

355KB
MD5

0196aa6b6e09389e94acafba9049fe5f
SHA1

6248bd71cc01f4dd0728bf8536c29aff31adb4ce
SHA256

84b16227e05b966470c3624cc9129296d73b96c11c90ff5d02a6aea8ab196b9e
SHA512

004683c3bcc190134f6715bef7fc1d788e3b7d02c68f6f51980433078be7c126f382fb2832d2668c23f234f9b6ab0d0e1e2e1d0dca33d9f40803f412f566c81a
SSDEEP

6144:BstpyZ+ANKcOVwmBfjdLz5kazt+x1gLY3TGAa7VGpwCu:BstpbA3OOmljdLGeZOGH7Cu

Score

10^/10

gozi 1500 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1500

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D65EF90-A283-11EE-9BE3-D2066D8F1295} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

452 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

452 iexplore.exe
452 iexplore.exe
2612 IEXPLORE.EXE
2612 IEXPLORE.EXE

pid	process
452	iexplore.exe

pid	process
452	iexplore.exe
452	iexplore.exe
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exeiexplore.exe

description	pid	process	target process
PID 1680 wrote to memory of 4784	1680	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 4784	1680	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 4784	1680	rundll32.exe	rundll32.exe
PID 452 wrote to memory of 2612	452	iexplore.exe	IEXPLORE.EXE
PID 452 wrote to memory of 2612	452	iexplore.exe	IEXPLORE.EXE
PID 452 wrote to memory of 2612	452	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#1
2⤵
PID:4784

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4784-1-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download
memory/4784-2-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4784-0-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download
memory/4784-3-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download
memory/4784-4-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download
memory/4784-5-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download
memory/4784-6-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4784-8-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download
memory/4784-9-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download
memory/4784-11-0x0000000000620000-0x000000000062D000-memory.dmp

Filesize
52KB

Download
memory/4784-14-0x0000000075090000-0x0000000075184000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads