gozi_ifsb | 9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070 | Triage

Analysis

max time kernel
18s
max time network
112s
platform
windows10_x64
resource
win10v20210408
submitted
28-07-2021 09:58

Sharing

Report Analysis Logs

General

Target

610113e3e6859.dll
Size

543KB
MD5

ae97252af977c7e64b2eeca6140e129e
SHA1

269f90889d519741b79e52ea427fbc37e6a01868
SHA256

9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070
SHA512

07fb03be2fbb630d17b832550b774d1f416db84b7dfe05c552ee79a752892b567f49989a1f2dd4b3e6f12cffd55ab312ae76511e841fb22c9e31eba109e8a1c5

Score

10^/10

gozi_ifsb 8877 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

outlook.com

zaluoa.live

daskdjknefjkewfnkjwe.net

Attributes

build
250207
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 656 wrote to memory of 1512	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 1512	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 1512	656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\610113e3e6859.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\610113e3e6859.dll,#1
2⤵
PID:1512

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-114-0x0000000000000000-mapping.dmp

Download
memory/1512-116-0x0000000074340000-0x0000000074464000-memory.dmp

Filesize
1.1MB

Download
memory/1512-115-0x0000000074340000-0x000000007434F000-memory.dmp

Filesize
60KB

Download
memory/1512-117-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download