gozi_ifsb | ded13d4a537d366c3f4e9bd00ac0db8d90d5b87554b0957ac38ae81968e76ad8 | Triage

Analysis

max time kernel
151s
max time network
154s
platform
windows10_x64
resource
win10-en
submitted
14-09-2021 09:34

Sharing

Report Analysis Logs

General

Target

61406c9abfcad.rar.dll
Size

368KB
MD5

048cc67667ca451a201be5057c3dfc5a
SHA1

8126d4173c6e3536f1448ef66677e2df7c402f7f
SHA256

ded13d4a537d366c3f4e9bd00ac0db8d90d5b87554b0957ac38ae81968e76ad8
SHA512

fd20d67b9ef1643fe71bd5c584d11fc2d18d8f588f1fb9c0fcbf82616945e69dca15ae9aacbf23814335c0ca3a1df5326c530a4958656006a74ca813583cf93b

Score

10^/10

gozi_ifsb 8877 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

outlook.com

permanentitaly.nl

jklooopooooreer.nl

Attributes

build
250212
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

16 4704 rundll32.exe
18 4704 rundll32.exe
20 4704 rundll32.exe
22 4704 rundll32.exe
24 4704 rundll32.exe
26 4704 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4688 wrote to memory of 4704	4688	rundll32.exe	rundll32.exe
PID 4688 wrote to memory of 4704	4688	rundll32.exe	rundll32.exe
PID 4688 wrote to memory of 4704	4688	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61406c9abfcad.rar.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61406c9abfcad.rar.dll,#1
2⤵
- Blocklisted process makes network request
PID:4704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4704-115-0x0000000000000000-mapping.dmp

Download
memory/4704-117-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/4704-116-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4704-118-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download