gozi_ifsb | d4d0bb44895c035a39afd7fab48f879e058f1cdc00db0666ebb08463cece2e51 | Triage

Analysis

max time kernel
48s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
03-06-2021 15:31

Sharing

Report Analysis Logs

General

Target

shook.vob.dll
Size

626KB
MD5

11dbf3457def6dece6fcb7564d957951
SHA1

d3f497dae6407e80f23340b990416abb5e15b748
SHA256

d4d0bb44895c035a39afd7fab48f879e058f1cdc00db0666ebb08463cece2e51
SHA512

2064b17bc479f91c26066edcd1f72f5911aded166d22e757df758c0937522baf2ab058d3e08598003c429ca6b5885f94c1bcb249c15bb9b58b8ad8ec30c8660f

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

app.buboleinov.com

chat.veminiare.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3540 wrote to memory of 424	3540	regsvr32.exe	regsvr32.exe
PID 3540 wrote to memory of 424	3540	regsvr32.exe	regsvr32.exe
PID 3540 wrote to memory of 424	3540	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\shook.vob.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\shook.vob.dll
2⤵
PID:424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-114-0x0000000000000000-mapping.dmp

Download
memory/424-115-0x0000000072F90000-0x0000000072F9E000-memory.dmp

Filesize
56KB

Download
memory/424-116-0x0000000072F90000-0x000000007403E000-memory.dmp

Filesize
16.7MB

Download
memory/424-117-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download