gozi_ifsb | 236491cfe870f6b374d80e427ef8f8bfbf24f50d4029128b001d95c8c90845cb | Triage

Resubmissions

16/02/2021, 11:24

210216-8sa4xvae2j 10

Analysis

max time kernel
17s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
16/02/2021, 11:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1.exe.dll
Size

332KB
MD5

bb6172739040ab04a078a1c61ef9a4e7
SHA1

34d6680a4ae007b81273196a7c0fc282903562f1
SHA256

236491cfe870f6b374d80e427ef8f8bfbf24f50d4029128b001d95c8c90845cb
SHA512

35e155dd1f5a16c4f87c8c86454518f481120d9fc390be0dfa2bc4e6f1895b83c10b0675b0ad221bf215dd6d43f84b278f7fa9256934400eaa603a04a6dfb875

Score

10^/10

gozi_ifsb 7555 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7555

C2

c.s-microsoft.com

ajax.googleapis.com

greatewallfirewall.xyz

185.186.244.130

booloolo2.com

37.120.222.107

Attributes

build
251173
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 1352	724	rundll32.exe	71
PID 724 wrote to memory of 1352	724	rundll32.exe	71
PID 724 wrote to memory of 1352	724	rundll32.exe	71

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe.dll,#1
  2⤵
  PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-4-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1352-3-0x0000000002780000-0x000000000279F000-memory.dmp

Filesize
124KB

Download