gozi_ifsb | 683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff | Triage

Analysis

max time kernel
17s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
10-08-2021 08:25

Sharing

Report Analysis Logs

General

Target

611237846402f.dll
Size

568KB
MD5

07684da40ad79495b5db6ddcf723bd8e
SHA1

7a7b3294628bd170ae0ca85ec533be7e0d409053
SHA256

683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff
SHA512

23864fd1e5cb5860264631d7da50990a12d4f8aabac6b761f6e44e56b4be16263d5589978265b63b1ad4af10452bddc72f73845f03a683d2efd4344521eefb00

Score

10^/10

gozi_ifsb 8877 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

outlook.com

boyuleruner.online

coyuleruner.online

Attributes

build
250207
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4020 wrote to memory of 588	4020	rundll32.exe	rundll32.exe
PID 4020 wrote to memory of 588	4020	rundll32.exe	rundll32.exe
PID 4020 wrote to memory of 588	4020	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\611237846402f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\611237846402f.dll,#1
2⤵
PID:588

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-114-0x0000000000000000-mapping.dmp

Download
memory/588-115-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/588-117-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download