gozi_ifsb | aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1 | Triage

Analysis

max time kernel
25s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
08-06-2021 01:03

Sharing

Report Analysis Logs

General

Target

aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1.dll
Size

834KB
MD5

b8bc8b1740b329ff2baf16bcee6ca23d
SHA1

d9215e03d2ddae00041a4ddd731872025b3ce537
SHA256

aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
SHA512

526cee6275372aaa9a34e51a42e607e940b2c0652b45aa3acf5a2b92b8cda6dc1c117d891d64fc93e013869e8244615b7d5d76c2c9c89b02920a11d97a4ed4af

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4432 wrote to memory of 4480	4432	rundll32.exe	rundll32.exe
PID 4432 wrote to memory of 4480	4432	rundll32.exe	rundll32.exe
PID 4432 wrote to memory of 4480	4432	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1.dll,#1
2⤵
PID:4480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4480-114-0x0000000000000000-mapping.dmp

Download
memory/4480-115-0x0000000074190000-0x000000007419D000-memory.dmp

Filesize
52KB

Download
memory/4480-116-0x0000000074190000-0x00000000742B1000-memory.dmp

Filesize
1.1MB

Download
memory/4480-117-0x0000000002B10000-0x0000000002C5A000-memory.dmp

Filesize
1.3MB

Download