gozi_ifsb | 8f92de808d26003355c0d9832c5a3dba3e337acae4935ccd7a37012aea681ca3 | Triage

Analysis

max time kernel
13s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
10-06-2021 18:20

Sharing

Report Analysis Logs

General

Target

xadar5.dll
Size

599KB
MD5

f65de6de03df304fa06f6908011f2713
SHA1

6bc18631dd4f9dac4af8e95b81a0d06aab636059
SHA256

8f92de808d26003355c0d9832c5a3dba3e337acae4935ccd7a37012aea681ca3
SHA512

56c9ce50c57c3419c046b6a928549c0f1c749eb3970eafa29e21a22cbbc477ad2138db0f1eb4e87e2a2d4c246b909e9ac8f4b4ec1604ef70a47b1bd84b1e578c

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3988 wrote to memory of 2100	3988	rundll32.exe	rundll32.exe
PID 3988 wrote to memory of 2100	3988	rundll32.exe	rundll32.exe
PID 3988 wrote to memory of 2100	3988	rundll32.exe	rundll32.exe

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\xadar5.dll,#1
1⤵
PID:2100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\xadar5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3988

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2100-114-0x0000000000000000-mapping.dmp

Download
memory/2100-115-0x0000000073AC0000-0x0000000073ACD000-memory.dmp

Filesize
52KB

Download
memory/2100-116-0x0000000073AC0000-0x0000000073BA9000-memory.dmp

Filesize
932KB

Download
memory/2100-117-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download