gozi_ifsb | f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab | Triage

Analysis

max time kernel
75s
max time network
80s
platform
windows10_x64
resource
win10v20210408
submitted
06-05-2021 16:03

Sharing

Report Analysis Logs

General

Target

6a76e615_by_Libranalysis.dll
Size

851KB
MD5

6a76e615a7997fc04e3003ce16c9bc3d
SHA1

90d82c7e8a3f2d3c4ec8e4542605eafbcb07bf95
SHA256

f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab
SHA512

b132a87d0c5391049d57f8cf3448a86b5f69822b2dfa51e99235ed497fa25b981664d8545e6d34c12f46cb39835f6b324198fb12de45a9e8588a83d2afb4e595

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

green.salurober.com

frm.mironeramp.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 740 wrote to memory of 1340	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1340	740	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 1340	740	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a76e615_by_Libranalysis.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a76e615_by_Libranalysis.dll,#1
2⤵
PID:1340

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-114-0x0000000000000000-mapping.dmp

Download
memory/1340-116-0x0000000074290000-0x0000000074379000-memory.dmp

Filesize
932KB

Download
memory/1340-115-0x0000000074290000-0x000000007429E000-memory.dmp

Filesize
56KB

Download
memory/1340-117-0x0000000002C00000-0x0000000002D4A000-memory.dmp

Filesize
1.3MB

Download