gozi_ifsb | 47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f

Analysis

max time kernel
48s
max time network
60s
platform
windows7_x64
resource
win7v20210408
submitted
11-10-2021 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c060ec6b1e42d70972d0af66a04e66.dll
Size

701KB
MD5

c4c060ec6b1e42d70972d0af66a04e66
SHA1

3ef84847fceb31b8814c12c94c57c72a5281d6f5
SHA256

47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
SHA512

5553d68867af378d347620208b35d4d6261526770cf2a47884f0eff17392cedfa91ab491265717a459b4ccbe43f490a90caaf9289b9f92e8cd63140710e9ca78

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

msn.com/mail

breuranel.website

outlook.com/signup

areuranel.website

Attributes

build
260212
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2004 wrote to memory of 1328	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1328	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1328	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1328	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1328	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1328	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1328	2004	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4c060ec6b1e42d70972d0af66a04e66.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4c060ec6b1e42d70972d0af66a04e66.dll,#1
2⤵
PID:1328

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-60-0x0000000000000000-mapping.dmp

Download
memory/1328-61-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1328-62-0x00000000750F0000-0x000000007523C000-memory.dmp

Filesize
1.3MB

Download
memory/1328-63-0x00000000750F0000-0x00000000750FF000-memory.dmp

Filesize
60KB

Download
memory/1328-64-0x00000000750F0000-0x000000007523C000-memory.dmp

Filesize
1.3MB

Download
memory/1328-65-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download