gozi_ifsb | 5f9688e1d0b2e2b1240946dcc9fc145362cb4c1b76acd74bd85e75afc3ff1b91 | Triage

Analysis

max time kernel
34s
max time network
66s
platform
windows10_x64
resource
win10v20210408
submitted
05-07-2021 14:39

Sharing

Report Analysis Logs

General

Target

9b9dc.dll
Size

420KB
MD5

9b9dcba4b633e44b85fa93b9499b89aa
SHA1

dd7745cb5b057df865a75bb110ded7c20528bfde
SHA256

5f9688e1d0b2e2b1240946dcc9fc145362cb4c1b76acd74bd85e75afc3ff1b91
SHA512

4f7ed3354405099d43ddc615dce09f35ac2ae1bba3bf8e58af44aa6ed6c741ca80184e7c6be63afe01dcbb3dcfe2257162955002ce65ea3559e6a204aba7680b

Score

10^/10

gozi_ifsb 4500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 652 wrote to memory of 3460	652	rundll32.exe	rundll32.exe
PID 652 wrote to memory of 3460	652	rundll32.exe	rundll32.exe
PID 652 wrote to memory of 3460	652	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b9dc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b9dc.dll,#1
2⤵
PID:3460

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-114-0x0000000000000000-mapping.dmp

Download
memory/3460-115-0x00000000049E0000-0x0000000004AE1000-memory.dmp

Filesize
1.0MB

Download
memory/3460-116-0x00000000049E0000-0x00000000049ED000-memory.dmp

Filesize
52KB

Download
memory/3460-117-0x00000000049E1000-0x0000000004A2A000-memory.dmp

Filesize
292KB

Download
memory/3460-118-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download