gozi_ifsb | f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb | Triage

Analysis

max time kernel
24s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
03-06-2021 16:05

Sharing

Report Analysis Logs

General

Target

shorefront.eps.dll
Size

384KB
MD5

b3526bc3c4a61f9f09ac31ee9a5fc8a5
SHA1

d92ac3fa9cca4ed8273111f767e24d8f53896787
SHA256

f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
SHA512

0583e811619ea1ce40c430436e91b8b216fc509e7c75ed7132fdccc9f52f1828f50dbca6cd4b973090962fe6e8b76e298b0fe43b56ea2485810d4dc52e033fdb

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

app.buboleinov.com

chat.veminiare.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1084 wrote to memory of 1336	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1336	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1336	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1336	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1336	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1336	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1336	1084	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\shorefront.eps.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\shorefront.eps.dll,#1
  2⤵
  PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-59-0x0000000000000000-mapping.dmp

Download
memory/1336-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1336-61-0x0000000071A40000-0x0000000071A4E000-memory.dmp

Filesize
56KB

Download
memory/1336-62-0x0000000071A40000-0x0000000072AB0000-memory.dmp

Filesize
16.4MB

Download
memory/1336-63-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download