gozi_ifsb | 34b5104cdaacdedc1bc930061e31355da40dc5071bcc77c188aac7f2734cc337 | Triage

Analysis

max time kernel
109s
max time network
113s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 10:28

Sharing

Report Analysis Logs

General

Target

59767b2ac03eb8320a661f410d53a025c8975b12de796e80b1c84306200f6a75.dll
Size

488KB
MD5

aaba239e1c2208a6f00bb10034cba621
SHA1

2520815cda4b4cdf652de337d4c9285e74d2a585
SHA256

59767b2ac03eb8320a661f410d53a025c8975b12de796e80b1c84306200f6a75
SHA512

1c80f3ff51f5d9b53232a1d9fb10c02bf22d8fbd686b76b8c6718b11bf6e834ca5b02c19535f70cbc08ade26360d0b42c5b944d63516853fb84acc573614ad16

Score

10^/10

gozi_ifsb 2500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2500

C2

app.buboleinov.com

chat.veminiare.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4660 wrote to memory of 4768	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 4768	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 4768	4660	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59767b2ac03eb8320a661f410d53a025c8975b12de796e80b1c84306200f6a75.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59767b2ac03eb8320a661f410d53a025c8975b12de796e80b1c84306200f6a75.dll,#1
2⤵
PID:4768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4768-114-0x0000000000000000-mapping.dmp

Download
memory/4768-115-0x0000000000C20000-0x0000000000DA0000-memory.dmp

Filesize
1.5MB

Download
memory/4768-116-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/4768-117-0x0000000000C21000-0x0000000000C54000-memory.dmp

Filesize
204KB

Download
memory/4768-118-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download