gozi_ifsb | 2da9852912cf01db29e1b3db4a1b9599979ac3c63a6522f5a4a771938c2b36db | Triage

Analysis

max time kernel
27s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
21-06-2021 20:05

Sharing

Report Analysis Logs

General

Target

bytesRCount.jpg.dll
Size

306KB
MD5

49af33aa7ecc1a785c1fe96c1946aad1
SHA1

8c2d963af567367151400c4558e21e5711d1707d
SHA256

2da9852912cf01db29e1b3db4a1b9599979ac3c63a6522f5a4a771938c2b36db
SHA512

dab397abb7c719f28b60e3726f54e2e60be871ca63d0a22d170c55074dc87bddbdb6f56d279b913d340d820e0ebe7214196b0de6bce7d40d3acd301bef759d81

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1852 wrote to memory of 1636	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 1636	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 1636	1852	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bytesRCount.jpg.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bytesRCount.jpg.dll,#1
2⤵
PID:1636

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-114-0x0000000000000000-mapping.dmp

Download
memory/1636-115-0x0000000073DC0000-0x0000000073DCD000-memory.dmp

Filesize
52KB

Download
memory/1636-116-0x0000000073DC0000-0x0000000073EAA000-memory.dmp

Filesize
936KB

Download
memory/1636-117-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download