gozi_ifsb | 26565bb980df7e0a005468cf2764cc72075ead4b6673c16b319c9c6b029b1bd1 | Triage

Analysis

max time kernel
70s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
15-03-2021 14:13

Sharing

Report Analysis Logs

General

Target

kybe3.dll
Size

563KB
MD5

c7eeecef364f35c1b3f56b3136d5607f
SHA1

17b1f56ce5ffed92d7939315ebc1818157f02506
SHA256

f2059f3054bee3cb57c666b3994c0cf3aa61c981e2d70a798b5f1f43a189f20a
SHA512

31da7d5d631dd7809e252374dded9ab47fe17875ae53a8680e1aa433dda65cbe4688f6a3d1afaca67dcb30756c988476381444e1c6e16090bb4b7278a52b6f34

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz

Attributes

build
250177
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3132 wrote to memory of 504	3132	regsvr32.exe	regsvr32.exe
PID 3132 wrote to memory of 504	3132	regsvr32.exe	regsvr32.exe
PID 3132 wrote to memory of 504	3132	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\kybe3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\kybe3.dll
2⤵
PID:504

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-2-0x0000000000000000-mapping.dmp

Download
memory/504-3-0x0000000073BA0000-0x0000000073BAF000-memory.dmp

Filesize
60KB

Download
memory/504-4-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download