gozi_ifsb | 2d49495a14202da33b0d3215668e55cfe873e4deff2bfb892a6227fc23b936fe | Triage

Analysis

max time kernel
32s
max time network
133s
platform
windows10_x64
resource
win10v20210408
submitted
05-07-2021 14:39

Sharing

Report Analysis Logs

General

Target

d1a5c.dll
Size

420KB
MD5

d1a5cea82aad4498789085900147ca86
SHA1

9ba635f6bca95ccb96db70eb3247cc2191f2c7d3
SHA256

2d49495a14202da33b0d3215668e55cfe873e4deff2bfb892a6227fc23b936fe
SHA512

d11b5901c0793f53b19ef648cde8e1c588a1311bf77efcce9fa5cdf5f312fbdca27c56a1230329b758a8aa4043a81bd21cb530c5da4128ccce2aad3dca20c5fe

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1404 wrote to memory of 1828	1404	rundll32.exe	rundll32.exe
PID 1404 wrote to memory of 1828	1404	rundll32.exe	rundll32.exe
PID 1404 wrote to memory of 1828	1404	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d1a5c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d1a5c.dll,#1
2⤵
PID:1828

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-114-0x0000000000000000-mapping.dmp

Download
memory/1828-115-0x0000000004630000-0x0000000004731000-memory.dmp

Filesize
1.0MB

Download
memory/1828-117-0x0000000004631000-0x000000000467A000-memory.dmp

Filesize
292KB

Download
memory/1828-116-0x0000000004630000-0x000000000463D000-memory.dmp

Filesize
52KB

Download
memory/1828-118-0x0000000000C00000-0x0000000000D4A000-memory.dmp

Filesize
1.3MB

Download