gozi_ifsb | a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750

Analysis

Target

6.tar.dll
Size

544KB
MD5

ed60097b0bca7f9c4649ba5d5a088fc9
SHA1

19b5c95728b212a75adf3e4d2932f411f6c68f9d
SHA256

a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
SHA512

0b505fd6aeea6d2ccab97a5989357985b8bc5081dd2fd7801fb8b7cfd201d4479ad256bf35acf04ad41e9b972a7a6ebd41ba593b083cfdae29f78ebd29d19340

Score

10^/10

Family

gozi_ifsb

Botnet

8877

outlook.com

xaaorunokee.site

taaorunokee.site

Attributes

rsa_pubkey.plain

serpent.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4016 wrote to memory of 3236	4016	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 3236	4016	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 3236	4016	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6.tar.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6.tar.dll,#1
2⤵
- Blocklisted process makes network request
PID:3236

memory/3236-114-0x0000000000000000-mapping.dmp

Download
memory/3236-116-0x0000000010000000-0x0000000010124000-memory.dmp

Filesize
1.1MB

Download
memory/3236-115-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/3236-117-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download