gozi_ifsb | 9a1b4350e4ad39bd03c8d186cd18a318dba73dfe78775d448210942a19ba7806 | Triage

Analysis

max time kernel
21s
max time network
38s
platform
windows7_x64
resource
win7v20210408
submitted
21-06-2021 13:43

Sharing

Report Analysis Logs

General

Target

ae3d4a4285ff6a422868d38e54d393d13a578471.focy3.dll
Size

306KB
MD5

9f5e19156a588ca6eb508023c438514b
SHA1

ae3d4a4285ff6a422868d38e54d393d13a578471
SHA256

9a1b4350e4ad39bd03c8d186cd18a318dba73dfe78775d448210942a19ba7806
SHA512

ff473dcef30a4e19836e3993b0cd2db47afddbb5b91189c14cd93e8fa33b89ed9046a2a2778d059bcbe4868cb0c3598f37cff0a8e605b5c2cc53f27199f01bd5

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1832 wrote to memory of 1064	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1064	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1064	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1064	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1064	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1064	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1064	1832	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae3d4a4285ff6a422868d38e54d393d13a578471.focy3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae3d4a4285ff6a422868d38e54d393d13a578471.focy3.dll,#1
2⤵
PID:1064

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-60-0x0000000000000000-mapping.dmp

Download
memory/1064-61-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1064-63-0x0000000074460000-0x000000007454A000-memory.dmp

Filesize
936KB

Download
memory/1064-62-0x0000000074460000-0x000000007446D000-memory.dmp

Filesize
52KB

Download
memory/1064-64-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download