gozi_ifsb | 74cc533238ae33245519b52784db0e6adbd3380b350717fdc69d4e36714173d5 | Triage

Analysis

max time kernel
52s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 09:16

Sharing

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295.dll
Size

391KB
MD5

81f401defa8faa2e4745590bc4f6c008
SHA1

bddb75a5aa6ed1272307ee096b59e2e61076a6f9
SHA256

74cc533238ae33245519b52784db0e6adbd3380b350717fdc69d4e36714173d5
SHA512

52b3ee08b33915c910733f05087ccbaf01f02693eeb91baa0c6c7a7350dc38709556142dde4db650614d6401244171fc3b2279516cd0851498752e6cafe104fc

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 776 wrote to memory of 1916	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1916	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1916	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1916	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1916	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1916	776	regsvr32.exe	regsvr32.exe
PID 776 wrote to memory of 1916	776	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295.dll
2⤵
PID:1916

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-2-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1916-3-0x0000000000000000-mapping.dmp

Download
memory/1916-4-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1916-5-0x0000000074620000-0x000000007462F000-memory.dmp

Filesize
60KB

Download
memory/1916-6-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download