gozi_ifsb | 86c9ed4ba9d0cb2127c38667dc7f4ec2a071649fa2f205dbc69a3ba855ec4a1a

Analysis

max time kernel
66s
max time network
57s
platform
windows10_x64
resource
win10v20210408
submitted
23-05-2021 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f042b85a514165c73ba938bc4e96bde2.dll
Size

937KB
MD5

f042b85a514165c73ba938bc4e96bde2
SHA1

76b6917c0151321e12f31ca16c61145a0b91252e
SHA256

86c9ed4ba9d0cb2127c38667dc7f4ec2a071649fa2f205dbc69a3ba855ec4a1a
SHA512

541e36f20c9bd2be6ade8c8c10507c2b8c509c0959ddd2c32c075905d3a216271cc81f9de8ad8bcec1beefe5303c6fc6051ae0d5c4baab3f9c68035665c7cca9

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

app3.maintorna.com

chat.billionady.com

app5.folion.xyz

wer.defone.click

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 488 wrote to memory of 1208	488	rundll32.exe	rundll32.exe
PID 488 wrote to memory of 1208	488	rundll32.exe	rundll32.exe
PID 488 wrote to memory of 1208	488	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 3236	1208	rundll32.exe	cmd.exe
PID 1208 wrote to memory of 3236	1208	rundll32.exe	cmd.exe
PID 1208 wrote to memory of 3236	1208	rundll32.exe	cmd.exe
PID 1208 wrote to memory of 64	1208	rundll32.exe	cmd.exe
PID 1208 wrote to memory of 64	1208	rundll32.exe	cmd.exe
PID 1208 wrote to memory of 64	1208	rundll32.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f042b85a514165c73ba938bc4e96bde2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f042b85a514165c73ba938bc4e96bde2.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd Island
3⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd Matter m
3⤵
PID:64

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-116-0x0000000000000000-mapping.dmp

Download
memory/1208-114-0x0000000000000000-mapping.dmp

Download
memory/1208-117-0x0000000073E30000-0x0000000073E3E000-memory.dmp

Filesize
56KB

Download
memory/1208-118-0x0000000073E30000-0x0000000073F34000-memory.dmp

Filesize
1.0MB

Download
memory/1208-119-0x0000000000C20000-0x0000000000D6A000-memory.dmp

Filesize
1.3MB

Download
memory/3236-115-0x0000000000000000-mapping.dmp

Download