gozi | 336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

General

Target

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
Size

526KB
MD5

7afb45ac5810698b4f3d8bc49e5d02c9
SHA1

82ac0b36bc447b697a907067a4163f4904d8ab25
SHA256

336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798
SHA512

d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21
SSDEEP

12288:Y3oGlmVDxLpA4pxc7wak9J5Q4xyhdG0++sVMJG2T7D/mxeT6xY:bVDZi4QEakn5PS+yFTXmAOxY

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215798

rsa_pubkey.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 2 IoCs

Processes:

d3d8lAPI.exed3d8lAPI.exe

pid process

2564 d3d8lAPI.exe
2720 d3d8lAPI.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

3028 cmd.exe
3028 cmd.exe

pid	process
2564	d3d8lAPI.exe
2720	d3d8lAPI.exe

pid	process
3028	cmd.exe
3028	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHxRwave = "C:\\Users\\Admin\\AppData\\Roaming\\Auxistui\\d3d8lAPI.exe"	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exed3d8lAPI.exed3d8lAPI.exesvchost.exe

description	pid	process	target process
PID 1940 set thread context of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2564 set thread context of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2720 set thread context of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2488 set thread context of 1200	2488	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d3d8lAPI.exeExplorer.EXE

pid process

2720 d3d8lAPI.exe
1200 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

d3d8lAPI.exesvchost.exe

pid process

2720 d3d8lAPI.exe
2488 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
2720	d3d8lAPI.exe
1200	Explorer.EXE

pid	process
2720	d3d8lAPI.exe
2488	svchost.exe

pid	process
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exeVirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.execmd.execmd.exed3d8lAPI.exed3d8lAPI.exesvchost.exe

description	pid	process	target process
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1940 wrote to memory of 2956	1940	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2956 wrote to memory of 2860	2956	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2956 wrote to memory of 2860	2956	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2956 wrote to memory of 2860	2956	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2956 wrote to memory of 2860	2956	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2860 wrote to memory of 3028	2860	cmd.exe	cmd.exe
PID 2860 wrote to memory of 3028	2860	cmd.exe	cmd.exe
PID 2860 wrote to memory of 3028	2860	cmd.exe	cmd.exe
PID 2860 wrote to memory of 3028	2860	cmd.exe	cmd.exe
PID 3028 wrote to memory of 2564	3028	cmd.exe	d3d8lAPI.exe
PID 3028 wrote to memory of 2564	3028	cmd.exe	d3d8lAPI.exe
PID 3028 wrote to memory of 2564	3028	cmd.exe	d3d8lAPI.exe
PID 3028 wrote to memory of 2564	3028	cmd.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2564 wrote to memory of 2720	2564	d3d8lAPI.exe	d3d8lAPI.exe
PID 2720 wrote to memory of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2720 wrote to memory of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2720 wrote to memory of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2720 wrote to memory of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2720 wrote to memory of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2720 wrote to memory of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2720 wrote to memory of 2488	2720	d3d8lAPI.exe	svchost.exe
PID 2488 wrote to memory of 1200	2488	svchost.exe	Explorer.EXE
PID 2488 wrote to memory of 1200	2488	svchost.exe	Explorer.EXE
PID 2488 wrote to memory of 1200	2488	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\83C0\41E0.bat" "C:\Users\Admin\AppData\Roaming\Auxistui\d3d8lAPI.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Auxistui\d3d8lAPI.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Roaming\Auxistui\d3d8lAPI.exe
"C:\Users\Admin\AppData\Roaming\Auxistui\d3d8lAPI.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Roaming\Auxistui\d3d8lAPI.exe
"C:\Users\Admin\AppData\Roaming\Auxistui\d3d8lAPI.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2488

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83C0\41E0.bat
Filesize
112B

MD5
378b385ff5988669c7474bb5d153c889

SHA1
78140c93b172bf2f7969771b6c6858006d9b578c

SHA256
3a15ffb0c0da88f3ff7dd4a88f98b0026c3340dedceb5da7ab863f5d2d4492db

SHA512
c2c7670cc4fc604c8f63c36d75baa67fef99259246afe165726fabc16c8c558d5eeef20480dbdabb61b4d47413830f4bcc6139f1678e7f6a66f880d52d8478ad

Download Submit
\Users\Admin\AppData\Roaming\Auxistui\d3d8lAPI.exe
Filesize
526KB

MD5
7afb45ac5810698b4f3d8bc49e5d02c9

SHA1
82ac0b36bc447b697a907067a4163f4904d8ab25

SHA256
336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

SHA512
d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21

Download Submit
memory/1200-61-0x0000000004C70000-0x0000000004D74000-memory.dmp

Filesize
1.0MB

Download
memory/1200-70-0x0000000004C70000-0x0000000004D74000-memory.dmp

Filesize
1.0MB

Download
memory/1200-73-0x0000000004C70000-0x0000000004D74000-memory.dmp

Filesize
1.0MB

Download
memory/1200-72-0x0000000004C70000-0x0000000004D74000-memory.dmp

Filesize
1.0MB

Download
memory/1200-71-0x0000000004C70000-0x0000000004D74000-memory.dmp

Filesize
1.0MB

Download
memory/2488-56-0x00000000003A0000-0x00000000004A4000-memory.dmp

Filesize
1.0MB

Download
memory/2488-62-0x00000000003A0000-0x00000000004A4000-memory.dmp

Filesize
1.0MB

Download
memory/2488-54-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2720-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2720-55-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2956-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads