gozi_ifsb | db49e3761c2b7175c40c25249b260c3ad85973b5e7e4996f366facf1f072275b

Analysis

max time kernel
64s
max time network
46s
platform
windows10_x64
resource
win10v20210408
submitted
24-05-2021 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61ebcf9a45616ec4499cf6b8c836e8a1.dll
Size

937KB
MD5

61ebcf9a45616ec4499cf6b8c836e8a1
SHA1

afd6f2e2ef19ba9f9cfdea3acaae12f189bcacd7
SHA256

db49e3761c2b7175c40c25249b260c3ad85973b5e7e4996f366facf1f072275b
SHA512

f87be7e493b67d8d7efe0cb8a9aa9332d489fddac3f475f6dd5d797170fed789fcb5dee2edea277b9255a5a8c667bf020a4ca4892dc7eebb4a5f241787012e09

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

app3.maintorna.com

chat.billionady.com

app5.folion.xyz

wer.defone.click

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1108 wrote to memory of 384	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 384	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 384	1108	rundll32.exe	rundll32.exe
PID 384 wrote to memory of 3668	384	rundll32.exe	cmd.exe
PID 384 wrote to memory of 3668	384	rundll32.exe	cmd.exe
PID 384 wrote to memory of 3668	384	rundll32.exe	cmd.exe
PID 384 wrote to memory of 3732	384	rundll32.exe	cmd.exe
PID 384 wrote to memory of 3732	384	rundll32.exe	cmd.exe
PID 384 wrote to memory of 3732	384	rundll32.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ebcf9a45616ec4499cf6b8c836e8a1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ebcf9a45616ec4499cf6b8c836e8a1.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd Island
3⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd Matter m
3⤵
PID:3732

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-114-0x0000000000000000-mapping.dmp

Download
memory/384-118-0x0000000074080000-0x0000000074184000-memory.dmp

Filesize
1.0MB

Download
memory/384-117-0x0000000074080000-0x000000007408E000-memory.dmp

Filesize
56KB

Download
memory/384-119-0x0000000000860000-0x00000000009AA000-memory.dmp

Filesize
1.3MB

Download
memory/3668-115-0x0000000000000000-mapping.dmp

Download
memory/3732-116-0x0000000000000000-mapping.dmp

Download