gozi_ifsb | 09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285 | Triage

Resubmissions

27-10-2021 11:33

211027-npbnjseeh6 10

04-02-2021 15:53

210204-ry8nav1e26 10

22-01-2021 18:03

210122-wbsmxw8v7s 10

Analysis

max time kernel
32s
max time network
9s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 18:03

Sharing

Report Analysis Logs

General

Target

out.dll
Size

95KB
MD5

2ff0ff62b5cf7e7097f75a37492f02f8
SHA1

9d60d24299762f4aa7fa71838b58e4e747b95df6
SHA256

09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
SHA512

dc9a5422b9f49910db2ad66d4b4d010fb538e6c12e214c33b4b5ee3c5b96591d251b17d9ff99a7dea83b25b62e6ec521a7292471f42def6cb00b2fa139a9eea6

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 296 wrote to memory of 796	296	rundll32.exe	25
PID 296 wrote to memory of 796	296	rundll32.exe	25
PID 296 wrote to memory of 796	296	rundll32.exe	25
PID 296 wrote to memory of 796	296	rundll32.exe	25
PID 296 wrote to memory of 796	296	rundll32.exe	25
PID 296 wrote to memory of 796	296	rundll32.exe	25
PID 296 wrote to memory of 796	296	rundll32.exe	25

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
  2⤵
  PID:796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-2-0x0000000000000000-mapping.dmp

Download
memory/796-3-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/796-4-0x00000000000B0000-0x00000000000BC000-memory.dmp

Filesize
48KB

Download
memory/796-5-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download