gozi_ifsb | 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c

Analysis

Target

6.tar.dll
Size

392KB
MD5

9a024750ca83441f6a1eb0357207f832
SHA1

98451fe991746d4fb0ecade9a0bd318ba4eb9b6a
SHA256

2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c
SHA512

ef98bac4edbe11e4710d76774c692f8a9cae52048e49cfb73db74291a408edf93ef5cb5c5eb55e6f9ba51ee10820d2bd560aed917a4eafef9f29ee4d8d0e2d69

Score

10^/10

Family

gozi_ifsb

Botnet

8877

outlook.com

jkdoiloooooo1.nl

nkdlooooalksloooo.nl

Attributes

rsa_pubkey.plain

serpent.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4640 wrote to memory of 4656	4640	rundll32.exe	rundll32.exe
PID 4640 wrote to memory of 4656	4640	rundll32.exe	rundll32.exe
PID 4640 wrote to memory of 4656	4640	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6.tar.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6.tar.dll,#1
2⤵
- Blocklisted process makes network request
PID:4656

memory/4656-115-0x0000000000000000-mapping.dmp

Download
memory/4656-117-0x0000000010000000-0x0000000010076000-memory.dmp

Filesize
472KB

Download
memory/4656-116-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4656-118-0x0000000003370000-0x00000000034BA000-memory.dmp

Filesize
1.3MB

Download