gozi_ifsb | 442fdd74d9c1689153b46e6f7da919471461da326911df19e2fa42dd2f43e254 | Triage

Analysis

max time kernel
26s
max time network
67s
platform
windows10_x64
resource
win10v20210408
submitted
03-06-2021 21:16

Sharing

Report Analysis Logs

General

Target

1.css.dll
Size

424KB
MD5

4732648abe7049072850a16f3e6bbe38
SHA1

52cb2e88e951f2576d53104d88adc47e33bca8e3
SHA256

442fdd74d9c1689153b46e6f7da919471461da326911df19e2fa42dd2f43e254
SHA512

a68ab9dc8b8eb166bc6dd1b2144a82444cd316eb3fabcc344f60d593920c557b1ff1fcb692d6e348075c11f8bee199a745c3f2a732adeea0a85d953e2a3bc05d

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

authd.feronok.com

raw.pablowilliano.at

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 516 wrote to memory of 1908	516	regsvr32.exe	regsvr32.exe
PID 516 wrote to memory of 1908	516	regsvr32.exe	regsvr32.exe
PID 516 wrote to memory of 1908	516	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1.css.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1.css.dll
2⤵
PID:1908

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-114-0x0000000000000000-mapping.dmp

Download
memory/1908-116-0x0000000073520000-0x000000007359F000-memory.dmp

Filesize
508KB

Download
memory/1908-115-0x0000000073520000-0x000000007352D000-memory.dmp

Filesize
52KB

Download
memory/1908-117-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download