gozi_ifsb | 9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8 | Triage

Analysis

max time kernel
51s
max time network
120s
platform
windows10_x64
resource
win10v20210408
submitted
07-05-2021 18:38

Sharing

Report Analysis Logs

General

Target

beed23c8b32850c8f45228c22c8b036d.dll
Size

118KB
MD5

beed23c8b32850c8f45228c22c8b036d
SHA1

1b002110ca216433834fac4ddcbf5ec32e86f59c
SHA256

9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
SHA512

16a62f45b7cc5d048080e2c9ea9cc43c0429bd090b4e8e3afcb9aa4ab747a1dfba8f7eeaaedbfe03b0e12ff15e497d63a0becd98eccce4c8a389cd06e952ec2c

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
250187
exe_type
loader

rsa_pubkey.base64

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 708 wrote to memory of 1608	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 1608	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 1608	708	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\beed23c8b32850c8f45228c22c8b036d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\beed23c8b32850c8f45228c22c8b036d.dll,#1
2⤵
PID:1608

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-114-0x0000000000000000-mapping.dmp

Download
memory/1608-116-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1608-115-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download