Overview

overview

10

Static

static

33.dll

windows7_x64

10

33.dll

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-03-2021 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33.dll

  • Size

    170KB

  • MD5

    b70bb01648a76dd8545fd12ec53b9ce7

  • SHA1

    78a6919ffa9a86d8e85f248ce6435754b4d6f60b

  • SHA256

    4713834ea4f17e583ce824f4c2ee391cafac251d6f0d64a5234b417ac593094b

  • SHA512

    fe6eb27d690d3d2bd9771408588c34d6287514d6247e034e9f009ecef8f1bc41cb76ed9a42d8ab3b57cb3cfa1ec24a501b5532b27c5eba55369ed2e0dc1389e3

Score
10/10
gozi_ifsb3300bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3300

C2

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1
Attributes
  • build

    250180

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\33.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\33.dll
      2⤵
        PID:4796
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4288 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2092

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2092-5-0x0000000000000000-mapping.dmp
      Download
    • memory/4796-2-0x0000000000000000-mapping.dmp
      Download
    • memory/4796-3-0x00000000759C0000-0x00000000759CF000-memory.dmp
      Filesize

      60KB

      Download
    • memory/4796-4-0x00000000003D0000-0x00000000003D1000-memory.dmp
      Filesize

      4KB

      Download