gozi_ifsb | f7fe2c3969d0e34e88cee07fc7623b9e7aa0cd30231e7e2ddea6b9b967fe7702 | Triage

Analysis

max time kernel
96s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
03-06-2021 16:08

Sharing

Report Analysis Logs

General

Target

racial.drc.dll
Size

515KB
MD5

efb92925b144840e5a35d2807b42b09b
SHA1

50c4b3a4f3eb4ddac6de2773ce91b39e74492ed2
SHA256

f7fe2c3969d0e34e88cee07fc7623b9e7aa0cd30231e7e2ddea6b9b967fe7702
SHA512

cee4ba51677841ab63d47c616920266d9d5f72a03293835b7a2449d692d99fc5a69299478e975fa626b6e381bf70d7b3e30c843e05da157761322155ccbc4991

Score

10^/10

gozi_ifsb 1500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

C2

authd.feronok.com

raw.pablowilliano.at

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3876 wrote to memory of 1932	3876	regsvr32.exe	regsvr32.exe
PID 3876 wrote to memory of 1932	3876	regsvr32.exe	regsvr32.exe
PID 3876 wrote to memory of 1932	3876	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\racial.drc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\racial.drc.dll
2⤵
PID:1932

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-114-0x0000000000000000-mapping.dmp

Download
memory/1932-116-0x0000000074220000-0x00000000742B0000-memory.dmp

Filesize
576KB

Download
memory/1932-115-0x0000000074220000-0x000000007422D000-memory.dmp

Filesize
52KB

Download
memory/1932-117-0x0000000002F50000-0x0000000002FFE000-memory.dmp

Filesize
696KB

Download