gozi_ifsb | d5a501f4cc25f94df7c0b7546a1eba7798ce4d28f4052332429d52329e8f34dc | Triage

Analysis

max time kernel
117s
max time network
132s
platform
windows10_x64
resource
win10v20210410
submitted
02-06-2021 21:31

Sharing

Report Analysis Logs

General

Target

shook.vob.dll
Size

626KB
MD5

9b080472af7585ae77e5185ae6af924d
SHA1

b094c1d5762533cf28ddca5248c5fc6ec2bcdea7
SHA256

d5a501f4cc25f94df7c0b7546a1eba7798ce4d28f4052332429d52329e8f34dc
SHA512

537efc90367d0350765f047dbe300899e1c6d632b346faff6dafa75c744b52cc166ab5742e6b5c001a23fd7ebf7f5cd7b088b1ae7785807e8631d7a3b0daabfd

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

app.buboleinov.com

chat.veminiare.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2256 wrote to memory of 4072	2256	regsvr32.exe	regsvr32.exe
PID 2256 wrote to memory of 4072	2256	regsvr32.exe	regsvr32.exe
PID 2256 wrote to memory of 4072	2256	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\shook.vob.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\shook.vob.dll
2⤵
PID:4072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4072-114-0x0000000000000000-mapping.dmp

Download
memory/4072-115-0x00000000725B0000-0x00000000725BE000-memory.dmp

Filesize
56KB

Download
memory/4072-116-0x00000000725B0000-0x000000007365E000-memory.dmp

Filesize
16.7MB

Download
memory/4072-117-0x0000000002EC0000-0x000000000300A000-memory.dmp

Filesize
1.3MB

Download