gozi_ifsb | 46122b4b88cd3e3cb38554bf976528c4046e1183b38a458e1c4cd91bcca8bee7 | Triage

Analysis

max time kernel
123s
max time network
155s
platform
windows7_x64
resource
win7v20210408
submitted
14-06-2021 15:59

Sharing

Report Analysis Logs

General

Target

textboxValue.jpg.dll
Size

623KB
MD5

7e242194013d4ccdecf7011966cabaf3
SHA1

b264a09ad821f64fd8ba3a2d717ee40b0cf6582e
SHA256

46122b4b88cd3e3cb38554bf976528c4046e1183b38a458e1c4cd91bcca8bee7
SHA512

5416250367a2421d5733f709f00769369a0efe164e4ac55ab4e77c0bfa6abb2fcd12442b7760bc748802cf7caea159bcf418937abdbb9ae51c5d04935645de1a

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1924 wrote to memory of 844	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 844	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 844	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 844	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 844	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 844	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 844	1924	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\textboxValue.jpg.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\textboxValue.jpg.dll,#1
2⤵
PID:844

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-61-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/844-60-0x0000000000000000-mapping.dmp

Download
memory/844-63-0x0000000074CC0000-0x0000000074D6F000-memory.dmp

Filesize
700KB

Download
memory/844-64-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/844-62-0x0000000074CC0000-0x0000000074CCD000-memory.dmp

Filesize
52KB

Download