gozi_ifsb | e63a9ff15de73a3b5e076cc16ddeb90dee8e246b5a889d6bd961fa3cfc777de8 | Triage

Analysis

max time kernel
1797s
max time network
1798s
platform
windows10_x64
resource
win10-en
submitted
19-09-2021 01:18

Sharing

Report Analysis Logs

General

Target

embryonic.qt.dll
Size

344KB
MD5

daa48985080f68f222c688092df85633
SHA1

94b945766584b71b88898aa44d075871d80303a6
SHA256

e63a9ff15de73a3b5e076cc16ddeb90dee8e246b5a889d6bd961fa3cfc777de8
SHA512

6c9199aaa037fe3cc7e1920a1b9230dd6b65d919dfd8970492f274766e7b653653908a160b8ac0acfb21c8a834147f77250a4be822be5cf5289135831634b2eb

Score

10^/10

gozi_ifsb 1500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

C2

atl.bigbigpoppa.com

pop.urlovedstuff.com

Attributes

build
250211
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4064 wrote to memory of 3956	4064	rundll32.exe	rundll32.exe
PID 4064 wrote to memory of 3956	4064	rundll32.exe	rundll32.exe
PID 4064 wrote to memory of 3956	4064	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\embryonic.qt.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\embryonic.qt.dll,#1
2⤵
PID:3956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3956-115-0x0000000000000000-mapping.dmp

Download
memory/3956-116-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/3956-117-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/3956-118-0x00000000030F0000-0x000000000323A000-memory.dmp

Filesize
1.3MB

Download