gozi_ifsb | 92382e0ee6dc1abe0665e6703c26dd98aa8f334a2b0c7b25127948b82188e40b | Triage

Analysis

max time kernel
118s
max time network
93s
platform
windows7_x64
resource
win7v20201028
submitted
14-03-2021 04:39

Sharing

Report Analysis Logs

General

Target

92382e0ee6dc1abe0665e6703c26dd98aa8f334a2b0c7b25127948b82188e40b.dll
Size

563KB
MD5

8b851b9d3d35d64a9692234069c2572d
SHA1

2e47c72028a54ccd3c51c56f69674b6b22a6c76e
SHA256

92382e0ee6dc1abe0665e6703c26dd98aa8f334a2b0c7b25127948b82188e40b
SHA512

663ed5d14ce767ba41f8a4ed89438c4b1bc11d6adfde9d9868f19798d10200489c4b98d616e88155e3d81e26a82b916a47c0ddf45fe2552904a1ba5535fdeb8f

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz

Attributes

build
250177
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2008 wrote to memory of 1464	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1464	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1464	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1464	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1464	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1464	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1464	2008	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\92382e0ee6dc1abe0665e6703c26dd98aa8f334a2b0c7b25127948b82188e40b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\92382e0ee6dc1abe0665e6703c26dd98aa8f334a2b0c7b25127948b82188e40b.dll
2⤵
PID:1464

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-4-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download
memory/1464-3-0x0000000000000000-mapping.dmp

Download
memory/1464-5-0x0000000074350000-0x000000007435F000-memory.dmp

Filesize
60KB

Download
memory/1464-6-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2008-2-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download