gozi | 8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7

General

Target

8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll
Size

672KB
MD5

281ab1908c42955077a6ae9434c404a0
SHA1

d3dba9abdce5630188d8c51886e889305a698607
SHA256

8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7
SHA512

212d88553d5b92b278aa96f9cf7fd523ad1a95f7729bdf7e260ec321d8165bb0b110bd0ecb1af8ed896ee2f05b491077bdca8703c0c0524ff650914609852d99
SSDEEP

12288:97EFH9MS0eApw2fmB1zNDLRfm4yVjg6AI18R5kQSuOscoujeNA:97EIeewHNIAIiRmQ9ujeNA

Score

10^/10

gozi 1000 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://maiamirainy.at

Attributes

build
217027
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Authtdll = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Apilxapi\\dfdtxva2.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 2860 set thread context of 2740	2860	rundll32.exe	control.exe
PID 2740 set thread context of 1196	2740	control.exe	Explorer.EXE
PID 2740 set thread context of 2636	2740	control.exe	rundll32.exe
PID 1196 set thread context of 1976	1196	Explorer.EXE	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

2860 rundll32.exe
1196 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

2860 rundll32.exe
2740 control.exe
2740 control.exe
1196 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE

pid	process
2860	rundll32.exe
1196	Explorer.EXE

pid	process
2860	rundll32.exe
2740	control.exe
2740	control.exe
1196	Explorer.EXE

pid	process
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 2860	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 2860	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 2860	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 2860	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 2860	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 2860	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 2860	2180	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2740	2860	rundll32.exe	control.exe
PID 2860 wrote to memory of 2740	2860	rundll32.exe	control.exe
PID 2860 wrote to memory of 2740	2860	rundll32.exe	control.exe
PID 2860 wrote to memory of 2740	2860	rundll32.exe	control.exe
PID 2860 wrote to memory of 2740	2860	rundll32.exe	control.exe
PID 2860 wrote to memory of 2740	2860	rundll32.exe	control.exe
PID 2860 wrote to memory of 2740	2860	rundll32.exe	control.exe
PID 2740 wrote to memory of 1196	2740	control.exe	Explorer.EXE
PID 2740 wrote to memory of 1196	2740	control.exe	Explorer.EXE
PID 2740 wrote to memory of 1196	2740	control.exe	Explorer.EXE
PID 2740 wrote to memory of 2636	2740	control.exe	rundll32.exe
PID 2740 wrote to memory of 2636	2740	control.exe	rundll32.exe
PID 2740 wrote to memory of 2636	2740	control.exe	rundll32.exe
PID 2740 wrote to memory of 2636	2740	control.exe	rundll32.exe
PID 2740 wrote to memory of 2636	2740	control.exe	rundll32.exe
PID 2740 wrote to memory of 2636	2740	control.exe	rundll32.exe
PID 1196 wrote to memory of 1600	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1600	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1600	1196	Explorer.EXE	cmd.exe
PID 1600 wrote to memory of 1556	1600	cmd.exe	nslookup.exe
PID 1600 wrote to memory of 1556	1600	cmd.exe	nslookup.exe
PID 1600 wrote to memory of 1556	1600	cmd.exe	nslookup.exe
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1976	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1976	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1976	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1976	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1976	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1976	1196	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1976	1196	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\control.exe
      C:\Windows\system32\control.exe /?
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
        5⤵
        
        PID:2636
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1BE0.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1556
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1BE0.bi1"
  2⤵
  PID:1488
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1BE0.bi1

Filesize
110B

MD5
469534e44d6489436c26d5e0d473ae1e

SHA1
539f7ae0225c588fd2a60ee4ed036c568e2e8333

SHA256
66d8bb9e94e6ee72da81b36efe59cfbb3db29170fc39cd2b43a39e5eb5087ce5

SHA512
9d885af2c1a9800b5bedb4ea85559005c512db1831d5de2d3be438ad6a56099de211cd7ff0432a76c7044ba3b83389ab58bfd6c72e6b3f42452f3a82c1fde3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BE0.bi1

Filesize
121B

MD5
58910db4e6beb9df6a7facc8ff9ebd01

SHA1
4ac7a11682951faa9a2158955ec2887f2b54b7b2

SHA256
8da116d5ff7ffd87e9839c748496155d74e6a425028514d324ddcf33ac00570f

SHA512
ee5046838fef65364b93468ac35d97a6d1d028d897b8088fee77a88b977177c8d22e463b369a44048a40f2ea2e50f3acc54bcf314571c146a7602b67680260b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Apilxapi\dfdtxva2.dll

Filesize
672KB

MD5
281ab1908c42955077a6ae9434c404a0

SHA1
d3dba9abdce5630188d8c51886e889305a698607

SHA256
8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7

SHA512
212d88553d5b92b278aa96f9cf7fd523ad1a95f7729bdf7e260ec321d8165bb0b110bd0ecb1af8ed896ee2f05b491077bdca8703c0c0524ff650914609852d99

Download Submit
memory/1196-46-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-33-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-55-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-23-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-61-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-27-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1196-29-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-31-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-36-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-35-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-39-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-62-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-34-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-59-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1196-32-0x0000000005170000-0x0000000005221000-memory.dmp

Filesize
708KB

Download
memory/1976-56-0x00000000001F0000-0x0000000000294000-memory.dmp

Filesize
656KB

Download
memory/2636-40-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2636-47-0x0000000001E30000-0x0000000001EE1000-memory.dmp

Filesize
708KB

Download
memory/2636-41-0x0000000001E30000-0x0000000001EE1000-memory.dmp

Filesize
708KB

Download
memory/2636-45-0x0000000001E30000-0x0000000001EE1000-memory.dmp

Filesize
708KB

Download
memory/2740-22-0x0000000001AE0000-0x0000000001B91000-memory.dmp

Filesize
708KB

Download
memory/2740-28-0x0000000001AE0000-0x0000000001B91000-memory.dmp

Filesize
708KB

Download
memory/2740-21-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2740-50-0x0000000001AE0000-0x0000000001B91000-memory.dmp

Filesize
708KB

Download
memory/2740-14-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/2740-15-0x0000000001AE0000-0x0000000001B91000-memory.dmp

Filesize
708KB

Download
memory/2860-0-0x0000000001FB0000-0x0000000002961000-memory.dmp

Filesize
9.7MB

Download
memory/2860-20-0x0000000001FB0000-0x0000000002961000-memory.dmp

Filesize
9.7MB

Download
memory/2860-5-0x00000000002C0000-0x000000000030A000-memory.dmp

Filesize
296KB

Download
memory/2860-12-0x00000000002C0000-0x000000000030A000-memory.dmp

Filesize
296KB

Download
memory/2860-2-0x000000000204D000-0x0000000002052000-memory.dmp

Filesize
20KB

Download
memory/2860-1-0x0000000001FB0000-0x0000000002961000-memory.dmp

Filesize
9.7MB

Download
memory/2860-3-0x0000000001FB0000-0x0000000002961000-memory.dmp

Filesize
9.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads