gozi_ifsb | 1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5 | Triage

Analysis

max time kernel
23s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
03-06-2021 16:05

Sharing

Report Analysis Logs

General

Target

shorefront.eps.dll
Size

384KB
MD5

93b0ad344d44befa41b292d0a4609e56
SHA1

3306d48bd1ff87555d9a8accd30583b6789d4683
SHA256

1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5
SHA512

3f00ed2b35fd951f804ae8030c0eee4a1acf77234c4daf09f0b653ae5bce439209d30b2faa6d44677f75143ddb9543ef0f04a492dc34849f8b39801c986cf487

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

app.buboleinov.com

chat.veminiare.com

chat.billionady.com

app3.maintorna.com

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 364 wrote to memory of 1140	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1140	364	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 1140	364	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\shorefront.eps.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\shorefront.eps.dll,#1
2⤵
PID:1140

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-114-0x0000000000000000-mapping.dmp

Download
memory/1140-115-0x0000000072ED0000-0x0000000072EDE000-memory.dmp

Filesize
56KB

Download
memory/1140-116-0x0000000072ED0000-0x0000000073F40000-memory.dmp

Filesize
16.4MB

Download
memory/1140-117-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download