gozi_ifsb | af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836 | Triage

Analysis

max time kernel
68s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
05-07-2021 15:03

Sharing

Report Analysis Logs

General

Target

3a94.dll
Size

607KB
MD5

3a943173c6de419b7078e88c20997838
SHA1

56567824c6b5c62112a74daa7a1a66e2ec0505d3
SHA256

af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836
SHA512

801f8f86158c23a44499fc8c5364cb6353a44fba09015d118341e1bd07a568fe4c2fe4b93ca691bb45b41b5f6ee2a6f73d7ffbfde3eb9cd7293295ffc530693c

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2020 wrote to memory of 1268	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1268	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1268	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1268	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1268	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1268	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1268	2020	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a94.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a94.dll,#1
2⤵
PID:1268

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1268-60-0x0000000000000000-mapping.dmp

Download
memory/1268-61-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1268-62-0x0000000074EF0000-0x0000000074EFD000-memory.dmp

Filesize
52KB

Download
memory/1268-63-0x0000000074EF0000-0x0000000075020000-memory.dmp

Filesize
1.2MB

Download
memory/1268-64-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download