gozi_ifsb | 9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb | Triage

Analysis

max time kernel
3s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
11-02-2021 15:14

Sharing

Report Analysis Logs

General

Target

yytr.png.dll
Size

463KB
MD5

ba2befa9c70c2b6d779c48a59cece3e5
SHA1

4c855f80076e357d35c7d60cd52d2c49abefc5ff
SHA256

9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
SHA512

bdc4e33de9de4cf27d1df05e22163c6a3ef0d2406d80cb51db34139bf08cc3a923b079686fbc0a1b359ee46447eb0583c3343360d7e755179e9661c4a503047e

Score

10^/10

gozi_ifsb 3131 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3131

C2

c.s-microsoft.com

firebaseremoteconfig.googleapis.com

pronpepsipirpyamvioerd.com

80.208.230.180

Attributes

build
250177
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1784 wrote to memory of 1896	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1896	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1896	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1896	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1896	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1896	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1896	1784	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#1
  2⤵
  PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-2-0x0000000000000000-mapping.dmp

Download
memory/1896-3-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1896-5-0x0000000000280000-0x000000000028D000-memory.dmp

Filesize
52KB

Download
memory/1896-4-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1896-6-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download