gozi_ifsb | eb0331d59dcc188740e4dec6d463a8947caeebb215560bf885d781213389d55a

Analysis

max time kernel
98s
max time network
114s
platform
windows10_x64
resource
win10v20210410
submitted
24-05-2021 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bb413e89a992af0ef05cade160409ff.dll
Size

937KB
MD5

2bb413e89a992af0ef05cade160409ff
SHA1

2a0dacba68042ac60ec492ca1cf1788d1ae06f72
SHA256

eb0331d59dcc188740e4dec6d463a8947caeebb215560bf885d781213389d55a
SHA512

d9060fae3b6f6f69911c9e485aee30f13c278e0b379d5ff7fb4739ceb65f54e93a5941352d708ded5ea7f4e6d72856d4bbab489cc7cefed78bac598926c63c78

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

app3.maintorna.com

chat.billionady.com

app5.folion.xyz

wer.defone.click

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3680 wrote to memory of 856	3680	rundll32.exe	rundll32.exe
PID 3680 wrote to memory of 856	3680	rundll32.exe	rundll32.exe
PID 3680 wrote to memory of 856	3680	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1212	856	rundll32.exe	cmd.exe
PID 856 wrote to memory of 1212	856	rundll32.exe	cmd.exe
PID 856 wrote to memory of 1212	856	rundll32.exe	cmd.exe
PID 856 wrote to memory of 1736	856	rundll32.exe	cmd.exe
PID 856 wrote to memory of 1736	856	rundll32.exe	cmd.exe
PID 856 wrote to memory of 1736	856	rundll32.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bb413e89a992af0ef05cade160409ff.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bb413e89a992af0ef05cade160409ff.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd Island
3⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd Matter m
3⤵
PID:1736

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-114-0x0000000000000000-mapping.dmp

Download
memory/856-118-0x00000000735D0000-0x00000000736D4000-memory.dmp

Filesize
1.0MB

Download
memory/856-117-0x00000000735D0000-0x00000000735DE000-memory.dmp

Filesize
56KB

Download
memory/856-119-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1212-115-0x0000000000000000-mapping.dmp

Download
memory/1736-116-0x0000000000000000-mapping.dmp

Download