gozi_ifsb | 09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285 | Triage

Resubmissions

27-10-2021 11:33

211027-npbnjseeh6 10

04-02-2021 15:53

210204-ry8nav1e26 10

22-01-2021 18:03

210122-wbsmxw8v7s 10

Analysis

max time kernel
24s
max time network
25s
platform
windows7_x64
resource
win7v20201028
submitted
04-02-2021 15:53

Sharing

Report Analysis Logs

General

Target

out.dll
Size

95KB
MD5

2ff0ff62b5cf7e7097f75a37492f02f8
SHA1

9d60d24299762f4aa7fa71838b58e4e747b95df6
SHA256

09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
SHA512

dc9a5422b9f49910db2ad66d4b4d010fb538e6c12e214c33b4b5ee3c5b96591d251b17d9ff99a7dea83b25b62e6ec521a7292471f42def6cb00b2fa139a9eea6

Score

10^/10

gozi_ifsb 1100 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers
exe_type

Extracted

Family

gozi_ifsb

Botnet

1100

C2

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
1.320669898e+09
dga_season
10
dga_tlds
com

ru

org
dns_servers
exe_type
loader

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2004	792	rundll32.exe	26
PID 792 wrote to memory of 2004	792	rundll32.exe	26
PID 792 wrote to memory of 2004	792	rundll32.exe	26
PID 792 wrote to memory of 2004	792	rundll32.exe	26
PID 792 wrote to memory of 2004	792	rundll32.exe	26
PID 792 wrote to memory of 2004	792	rundll32.exe	26
PID 792 wrote to memory of 2004	792	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
  2⤵
  PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-2-0x0000000000000000-mapping.dmp

Download
memory/2004-3-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/2004-4-0x00000000000B0000-0x00000000000BC000-memory.dmp

Filesize
48KB

Download
memory/2004-5-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download