gozi_ifsb | 3d08389e485bae1170d17e1966af51b7f174c98d1b9dafc4d25873eb70d4d735 | Triage

Analysis

max time kernel
20s
max time network
126s
platform
windows10_x64
resource
win10v20210410
submitted
14-06-2021 19:31

Sharing

Report Analysis Logs

General

Target

Selkirk.ttf.dll
Size

374KB
MD5

81127b25e86fc1c34d4b3c234bbb7650
SHA1

97e8acc57e840ccc2a5caec350b69560f9d64abe
SHA256

3d08389e485bae1170d17e1966af51b7f174c98d1b9dafc4d25873eb70d4d735
SHA512

c2dcf05d65baaab85309d912dbfe01193a99ab0ac6a06ab361edab95a2dc246e56dc782e7c5235a541b8dea62a1b9c86f6211a0a7e6b6a2d197066d010d02d3d

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3872 wrote to memory of 4028	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 4028	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 4028	3872	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Selkirk.ttf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Selkirk.ttf.dll,#1
2⤵
PID:4028

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4028-114-0x0000000000000000-mapping.dmp

Download
memory/4028-116-0x00000000739F0000-0x0000000073A95000-memory.dmp

Filesize
660KB

Download
memory/4028-115-0x00000000739F0000-0x00000000739FD000-memory.dmp

Filesize
52KB

Download
memory/4028-117-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download