gozi_ifsb | 4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3 | Triage

Analysis

max time kernel
25s
max time network
13s
platform
windows7_x64
resource
win7v20210408
submitted
12-05-2021 10:40

Sharing

Report Analysis Logs

General

Target

6fdbd25f7a84da80ee9d8577122c3291.dll
Size

467KB
MD5

6fdbd25f7a84da80ee9d8577122c3291
SHA1

39a52cbc48be934cf953d4699e8a1ea5ff53a5bf
SHA256

4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
SHA512

935e43b18efb458f246523976f6b71655cf5c4465cddc86e5b91a9acc8e5d77f3bc3d2b0414d9e08114f286afd682cb9364193babaec4cd6b6ca871abf5b79de

Score

10^/10

gozi_ifsb 8877 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

outlook.com/login

gmail.com

worunekulo.club

horunekulo.website

Attributes

build
250196
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 940 wrote to memory of 1964	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1964	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1964	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1964	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1964	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1964	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1964	940	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fdbd25f7a84da80ee9d8577122c3291.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fdbd25f7a84da80ee9d8577122c3291.dll,#1
2⤵
PID:1964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-59-0x0000000000000000-mapping.dmp

Download
memory/1964-60-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1964-61-0x00000000744A0000-0x00000000744AF000-memory.dmp

Filesize
60KB

Download
memory/1964-63-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download