gozi_ifsb | 98c29d3c1c76a00271ba5f2cf65106eb0870cf466e57954726143e293134971e

Analysis

Target

e0ebdc2043f61719c22ab6de883ff842.dll
Size

937KB
MD5

e0ebdc2043f61719c22ab6de883ff842
SHA1

7b42580d8cccb48996b2181d80c52971036221fa
SHA256

98c29d3c1c76a00271ba5f2cf65106eb0870cf466e57954726143e293134971e
SHA512

a922ff41fef15f2a2c1e6c84b055cacca7624a29146f324384cbc9cf7aa828d64b015ffc808659b1962202cdd6193e7499166d0a7e99af904787c0a2fb65a38d

Score

10^/10

Family

gozi_ifsb

Botnet

4500

app3.maintorna.com

chat.billionady.com

app5.folion.xyz

wer.defone.click

Attributes

rsa_pubkey.base64

serpent.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1096 wrote to memory of 2000	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 2000	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 2000	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 2000	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 2000	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 2000	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 2000	1096	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 1204	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1204	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1204	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1204	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1484	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1484	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1484	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1484	2000	rundll32.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0ebdc2043f61719c22ab6de883ff842.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0ebdc2043f61719c22ab6de883ff842.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cd Island
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cd Matter m
    3⤵
    PID:1484

memory/1204-61-0x0000000000000000-mapping.dmp

Download
memory/1484-62-0x0000000000000000-mapping.dmp

Download
memory/2000-59-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/2000-64-0x0000000074760000-0x0000000074864000-memory.dmp

Filesize
1.0MB

Download
memory/2000-63-0x0000000074760000-0x000000007476E000-memory.dmp

Filesize
56KB

Download
memory/2000-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download