gozi_ifsb | 96defacb7096fc81b809c4b0e427399cb2f7da2fb7eb278dd676785a8a476181

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-en-20210920
submitted
07-10-2021 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9.dll
Size

163KB
MD5

c9cd971a083303b1b7c4c912f8739f6b
SHA1

25fc199dbb5a7c0a71dfa8f430d8f09d09c0326d
SHA256

96defacb7096fc81b809c4b0e427399cb2f7da2fb7eb278dd676785a8a476181
SHA512

299645fd8262496396685707da2694ba04d1d20d747a8d6f1874b0a105599736b450f66966fda3333a1006d38a6c02ce03e211dab2ec8d5b1b1be4eacca227f0

Score

10^/10

gozi_ifsb 3300 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3300

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2008 wrote to memory of 1504	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1504	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1504	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1504	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1504	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1504	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1504	2008	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\c9.dll
2⤵
PID:1504

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-54-0x0000000000000000-mapping.dmp

Download
memory/1504-55-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/1504-57-0x0000000074660000-0x000000007469B000-memory.dmp

Filesize
236KB

Download
memory/1504-56-0x0000000074660000-0x000000007466F000-memory.dmp

Filesize
60KB

Download
memory/1504-58-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2008-53-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download