gozi_ifsb | 9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070 | Triage

Analysis

max time kernel
19s
max time network
15s
platform
windows7_x64
resource
win7v20210408
submitted
28-07-2021 09:58

Sharing

Report Analysis Logs

General

Target

610113e3e6859.dll
Size

543KB
MD5

ae97252af977c7e64b2eeca6140e129e
SHA1

269f90889d519741b79e52ea427fbc37e6a01868
SHA256

9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070
SHA512

07fb03be2fbb630d17b832550b774d1f416db84b7dfe05c552ee79a752892b567f49989a1f2dd4b3e6f12cffd55ab312ae76511e841fb22c9e31eba109e8a1c5

Score

10^/10

gozi_ifsb 8877 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

outlook.com

zaluoa.live

daskdjknefjkewfnkjwe.net

Attributes

build
250207
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1028 wrote to memory of 1328	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1328	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1328	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1328	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1328	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1328	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1328	1028	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\610113e3e6859.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\610113e3e6859.dll,#1
2⤵
PID:1328

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-60-0x0000000000000000-mapping.dmp

Download
memory/1328-61-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1328-63-0x0000000074C00000-0x0000000074D24000-memory.dmp

Filesize
1.1MB

Download
memory/1328-62-0x0000000074C00000-0x0000000074C0F000-memory.dmp

Filesize
60KB

Download
memory/1328-64-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download