Overview

overview

10

Static

static

crisp.css.dll

windows7_x64

1

crisp.css.dll

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    78s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-06-2021 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    crisp.css.dll

  • Size

    424KB

  • MD5

    b3eef2ceda386411f18232690dd0f973

  • SHA1

    d524a9bc2b4f1c17b312d3fe71d752a0a52e318e

  • SHA256

    9cf96531ac589e5947c69554c9ea7f7ab2a7cd8037512754acf97d4a40f911b8

  • SHA512

    59e7783f2d849fded2712e8ff5ca64da086220232f54492cce544413df6443d16735e148dff8a4b13e3e7a63ac9657cf228ee7a756f6aadd2525d0f912c8eac3

Score
10/10
gozi_ifsb4500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

authd.feronok.com

raw.pablowilliano.at
Attributes
  • build

    250188

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\crisp.css.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\crisp.css.dll
      2⤵
        PID:1072

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1072-114-0x0000000000000000-mapping.dmp
      Download
    • memory/1072-115-0x00000000739A0000-0x00000000739AD000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1072-116-0x00000000739A0000-0x0000000073A1F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/1072-117-0x0000000003140000-0x0000000003141000-memory.dmp
      Filesize

      4KB

      Download