Overview

overview

10

Static

static

file.dll

windows7_x64

10

file.dll

windows10_x64

10

Analysis

  • max time kernel
    41s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    16-03-2021 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.dll

  • Size

    457KB

  • MD5

    e57116d079e5f8532959ac73fa54211b

  • SHA1

    3c4615f2200c1d01c5a1880bb1bc2c072117ddf8

  • SHA256

    68c1d27603528e896c0d5cab01240c441b4cc08797faf0d4578261b824d07f82

  • SHA512

    7d8d63633a053f09aaa5bd45460c2661120f49a6c5c12725ad85645d2f7c7e5b9cc6ea0b1d66d31ec8b73c506c765a37fab6ab843c2f8ef82551dcad879c9b02

Score
10/10
gozi_ifsb5500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz
Attributes
  • build

    250177

  • dga_season

    10

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
      2⤵
        PID:1084

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1084-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1084-3-0x00000000761E1000-0x00000000761E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1084-4-0x0000000074B90000-0x0000000074B9F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1084-5-0x00000000001F0000-0x00000000001F1000-memory.dmp
      Filesize

      4KB

      Download