gozi_ifsb | e5cf7cd1382587ee1b71f4efbde4899b2b370db79a868e5fbabe8fdffaa711f0 | Triage

Analysis

max time kernel
47s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
23-07-2021 15:21

Sharing

Report Analysis Logs

General

Target

e5cf7cd1382587ee1b71f4efbde4899b2b370db79a868e5fbabe8fdffaa711f0.dll
Size

543KB
MD5

cd82705318c7f924f2fbf0d21baba14c
SHA1

004e8fced5a26dbd02547b8fc162ef88999c8b5b
SHA256

e5cf7cd1382587ee1b71f4efbde4899b2b370db79a868e5fbabe8fdffaa711f0
SHA512

9c3a90daf6b807259f928f32064352ce3d1fcc48ec919c4789f7197524ab88301d35c58cac6bb5fda0f9c17a46a91b37d6038b4012e8fec4341627b7cb9a03f9

Score

10^/10

gozi_ifsb 1212 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1212

C2

yahoo.com

oldmass31.xyz

poklamens9.xyz

Attributes

build
250206
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2020 wrote to memory of 1580	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1580	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1580	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1580	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1580	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1580	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1580	2020	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5cf7cd1382587ee1b71f4efbde4899b2b370db79a868e5fbabe8fdffaa711f0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5cf7cd1382587ee1b71f4efbde4899b2b370db79a868e5fbabe8fdffaa711f0.dll,#1
2⤵
PID:1580

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-60-0x0000000000000000-mapping.dmp

Download
memory/1580-61-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1580-62-0x0000000074EF0000-0x0000000074EFF000-memory.dmp

Filesize
60KB

Download
memory/1580-63-0x0000000074EF0000-0x0000000075013000-memory.dmp

Filesize
1.1MB

Download
memory/1580-64-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download