gozi | 81f3c9ef76877647a56874054c58756d67e512ad55a0ab273dfa5e88dddd7c5c

General

Target

tster.exe
Size

11KB
MD5

feb6fd23d005b8d70446866b206042f8
SHA1

d7d01f6639e0f060e91a35949f9bf346aa0ea81a
SHA256

81f3c9ef76877647a56874054c58756d67e512ad55a0ab273dfa5e88dddd7c5c
SHA512

20f86fa77e079bd3794c32e793a9adb79ad7d847ca8d74591321153330dfa9aa15d11279b45a9497fec910b58533cdeedc293858fa29d20ffb80f96d519c70da
SSDEEP

192:52R8JP/PCS+plrpcV5K9+JPiukknPfhTx0ujmN+LKyOLi:58Q/a9plrpcVI9SKQfgutKyOL

Score

10^/10

gozi banker isfb spyware stealer trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exetster.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	tster.exe

Executes dropped EXE 1 IoCs

Processes:

xfmnpne4.exe

pid process

4832 xfmnpne4.exe
Loads dropped DLL 1 IoCs

Processes:

tster.exe

pid process

1788 tster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

25 raw.githubusercontent.com
26 raw.githubusercontent.com
42 discord.com
43 discord.com
59 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

55 checkip.amazonaws.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

456 schtasks.exe

pid	process
4832	xfmnpne4.exe

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com
42	discord.com
43	discord.com
59	discord.com

flow	ioc
55	checkip.amazonaws.com

pid	process
456	schtasks.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\pearpear81962580.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tster.exexfmnpne4.exe

pid	process
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
4832	xfmnpne4.exe
4832	xfmnpne4.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe
1788	tster.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tster.exexfmnpne4.exe

description pid process

Token: SeDebugPrivilege 1788 tster.exe
Token: SeDebugPrivilege 4832 xfmnpne4.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tster.exe

pid process

1788 tster.exe

description	pid	process
Token: SeDebugPrivilege	1788	tster.exe
Token: SeDebugPrivilege	4832	xfmnpne4.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

tster.execmd.exeComputerDefaults.exewscript.execmd.exexfmnpne4.exe

description	pid	process	target process
PID 1788 wrote to memory of 5092	1788	tster.exe	reg.exe
PID 1788 wrote to memory of 5092	1788	tster.exe	reg.exe
PID 1788 wrote to memory of 5092	1788	tster.exe	reg.exe
PID 1788 wrote to memory of 1404	1788	tster.exe	reg.exe
PID 1788 wrote to memory of 1404	1788	tster.exe	reg.exe
PID 1788 wrote to memory of 1404	1788	tster.exe	reg.exe
PID 1788 wrote to memory of 1064	1788	tster.exe	cmd.exe
PID 1788 wrote to memory of 1064	1788	tster.exe	cmd.exe
PID 1788 wrote to memory of 1064	1788	tster.exe	cmd.exe
PID 1064 wrote to memory of 3960	1064	cmd.exe	ComputerDefaults.exe
PID 1064 wrote to memory of 3960	1064	cmd.exe	ComputerDefaults.exe
PID 1064 wrote to memory of 3960	1064	cmd.exe	ComputerDefaults.exe
PID 3960 wrote to memory of 4272	3960	ComputerDefaults.exe	wscript.exe
PID 3960 wrote to memory of 4272	3960	ComputerDefaults.exe	wscript.exe
PID 3960 wrote to memory of 4272	3960	ComputerDefaults.exe	wscript.exe
PID 4272 wrote to memory of 548	4272	wscript.exe	cmd.exe
PID 4272 wrote to memory of 548	4272	wscript.exe	cmd.exe
PID 4272 wrote to memory of 548	4272	wscript.exe	cmd.exe
PID 1788 wrote to memory of 2312	1788	tster.exe	cmd.exe
PID 1788 wrote to memory of 2312	1788	tster.exe	cmd.exe
PID 1788 wrote to memory of 2312	1788	tster.exe	cmd.exe
PID 2312 wrote to memory of 456	2312	cmd.exe	schtasks.exe
PID 2312 wrote to memory of 456	2312	cmd.exe	schtasks.exe
PID 2312 wrote to memory of 456	2312	cmd.exe	schtasks.exe
PID 1788 wrote to memory of 4832	1788	tster.exe	xfmnpne4.exe
PID 1788 wrote to memory of 4832	1788	tster.exe	xfmnpne4.exe
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE
PID 4832 wrote to memory of 3424	4832	xfmnpne4.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\tster.exe
"C:\Users\Admin\AppData\Local\Temp\tster.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\pearpear81962580.vbs" /f
3⤵
- Modifies registry class
PID:5092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
3⤵
- Modifies registry class
PID:1404

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\pearpear81962580.vbs
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
6⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN PlexMediaServerUpdater_9DaxSEEMIrKyr0dPz050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Credentials\9DaxSEEMIrKyr0dPz050MX.exe" /RL HIGHEST /IT
3⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN PlexMediaServerUpdater_9DaxSEEMIrKyr0dPz050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Credentials\9DaxSEEMIrKyr0dPz050MX.exe" /RL HIGHEST /IT
4⤵
- Creates scheduled task(s)
PID:456

C:\Users\Admin\AppData\Local\Temp\xfmnpne4.exe
"C:\Users\Admin\AppData\Local\Temp\xfmnpne4.exe" explorer.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:8
1⤵
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pearpear81962580.vbs
Filesize
171B

MD5
a34267102c21aff46aecc85598924544

SHA1
77268af47c6a4b9c6be7f7487b2c9b233d49d435

SHA256
eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

SHA512
5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfmnpne4.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a9X7DA7Y4C\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a9X7DA7Y4C\LOG
Filesize
329B

MD5
183a4eb1c2316f6010adb87a1d3e4af6

SHA1
564610220b51cfa42660540838a8dc3f97364a59

SHA256
e1bc8de1555717295d2e29456da47df392fe9ced668b6cb0aa376b878825035d

SHA512
e68f139c15e8e6eacf3c0d00ec71e0cdbde97448077cc55669e1a03ac88b3cb40900b79c2b1a1d81be49baac4bd808551fd2f90b03d4ce72e84c617ed5380eef

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a9X7DA7Y4C\LOG.old
Filesize
289B

MD5
ddb1d72d415d5f660e22d3d649396afb

SHA1
f485c94118cddc74352a50c7e9927362e96fd0a9

SHA256
5acd71cda7b7af34f64c98b1c261d2e59c7d385546b0c62c54da0222ce49c0e9

SHA512
51acad7828374ac19eb9a172065ee180d8318a5f04617e9c9bc41f6250158469676305af9b5a893d1c01f76734fe29a743eb29eacca49cc3c81233545b2f6d59

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a9X7DA7Y4C\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aLXD4UMJI3\n9vxbo99.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize
48KB

MD5
ca56dde6b7630e54a594ceaabab91be0

SHA1
dbc6640ed0d954002817b6654b4878b862635bfd

SHA256
e230e836420c453056b412e21356e8a24a8cefcb67c185955cd16f5aba148d79

SHA512
7533272799f6e4b8ccff8e5122c347ac61d885d98a0184e08f6f7ec12f8471bf73ed3f2d9baa2dda4484f9a33f3d16ece9817eec922d1afd9413e30b893f3e24

Download Submit
memory/1788-42-0x000000000A5C0000-0x000000000A5CA000-memory.dmp

Filesize
40KB

Download
memory/1788-44-0x0000000008D80000-0x0000000008D88000-memory.dmp

Filesize
32KB

Download
memory/1788-10-0x000000000B060000-0x000000000BC60000-memory.dmp

Filesize
12.0MB

Download
memory/1788-6-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1788-1-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/1788-2-0x00000000052C0000-0x00000000052DA000-memory.dmp

Filesize
104KB

Download
memory/1788-3-0x0000000002C20000-0x0000000002C2A000-memory.dmp

Filesize
40KB

Download
memory/1788-4-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/1788-5-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/1788-37-0x0000000007CB0000-0x0000000007CC2000-memory.dmp

Filesize
72KB

Download
memory/1788-38-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/1788-39-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1788-40-0x0000000008110000-0x0000000008176000-memory.dmp

Filesize
408KB

Download
memory/1788-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/1788-41-0x00000000081D0000-0x00000000081DA000-memory.dmp

Filesize
40KB

Download
memory/1788-43-0x0000000008D60000-0x0000000008D6C000-memory.dmp

Filesize
48KB

Download
memory/1788-11-0x0000000011DF0000-0x0000000012A92000-memory.dmp

Filesize
12.6MB

Download
memory/3424-31-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3424-30-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3424-28-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3424-27-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3424-26-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads