gozi_ifsb | b6d47431005c53645b469aaae5c0531bca27e9d11d014755193aa74c3f228ae8 | Triage

Analysis

max time kernel
49s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
03-06-2021 16:05

Sharing

Report Analysis Logs

General

Target

shook.vob.dll
Size

626KB
MD5

ecc4e73f710d096fa7fd8573a999883f
SHA1

6b17f6e11503689592ee647f27a4e3b889156c11
SHA256

b6d47431005c53645b469aaae5c0531bca27e9d11d014755193aa74c3f228ae8
SHA512

c4429c7e80c8454c92a3f1df8d79f547d70c4a1a57ae29c39800dbad3451edd27408c5a6a996623694d909e782fc2f730900e62e57f912be4df7cc9d5a0d6765

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

app.buboleinov.com

chat.veminiare.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2204 wrote to memory of 900	2204	regsvr32.exe	regsvr32.exe
PID 2204 wrote to memory of 900	2204	regsvr32.exe	regsvr32.exe
PID 2204 wrote to memory of 900	2204	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\shook.vob.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\shook.vob.dll
2⤵
PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-114-0x0000000000000000-mapping.dmp

Download
memory/900-115-0x0000000072760000-0x000000007276E000-memory.dmp

Filesize
56KB

Download
memory/900-116-0x0000000072760000-0x000000007380E000-memory.dmp

Filesize
16.7MB

Download
memory/900-117-0x0000000000A20000-0x0000000000B6A000-memory.dmp

Filesize
1.3MB

Download