gozi_ifsb | 874342cb9571e9c05d9e29b415c42767df9ca677abfd9867ad23f966cdc6e80a | Triage

Analysis

max time kernel
44s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
10-02-2021 13:08

Sharing

Report Analysis Logs

General

Target

a088841ceeaee1306585579ef9a72980.dll
Size

286KB
MD5

a088841ceeaee1306585579ef9a72980
SHA1

fa643f530d8662b61ba459dae488332945e203a5
SHA256

874342cb9571e9c05d9e29b415c42767df9ca677abfd9867ad23f966cdc6e80a
SHA512

8f78fa6b0b76d3b11a1f0f6f2d990486e950d140dd5d692c3c8112643c730a47d83e93259bf362074b6c826f0a57dac81974b1d4e65fa9c0ddc981ac75cd3aa1

Score

10^/10

gozi_ifsb 2200 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2200

C2

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1616 wrote to memory of 2016	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2016	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2016	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2016	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2016	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2016	1616	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2016	1616	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a088841ceeaee1306585579ef9a72980.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a088841ceeaee1306585579ef9a72980.dll,#1
2⤵
PID:2016

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-2-0x0000000000000000-mapping.dmp

Download
memory/2016-3-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/2016-4-0x00000000752C0000-0x00000000752CF000-memory.dmp

Filesize
60KB

Download
memory/2016-5-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download