gozi_ifsb | 1304822f60f26d982ee578417003549a74a58930c710f877b6a9de593473b271

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-en-20210920
submitted
20-10-2021 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01926e279514e9f218b61ecb2645f63b0a5790384dba2b188f42d7373c6ebcf4.dll
Size

421KB
MD5

b09c6de3b0f6ec6efbc0b3d02479e09c
SHA1

8d73b773fb1a3c3aa047da3b79beac5f4f5123d1
SHA256

01926e279514e9f218b61ecb2645f63b0a5790384dba2b188f42d7373c6ebcf4
SHA512

cda5536bbb9e8e46b8bc16336ecefb497f9f0ed5ddc80d8ffdb75b609d2c89fe230412c99fc45a30b196176150806b9bbb7abe00b40da833e2fc0193b7525947

Score

10^/10

gozi_ifsb 5566 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5566

outlook.com

peajame.com

gderrrpololo.net

Attributes

build
250211
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1464 wrote to memory of 1140	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1140	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1140	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1140	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1140	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1140	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1140	1464	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01926e279514e9f218b61ecb2645f63b0a5790384dba2b188f42d7373c6ebcf4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01926e279514e9f218b61ecb2645f63b0a5790384dba2b188f42d7373c6ebcf4.dll,#1
2⤵
PID:1140

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-53-0x0000000000000000-mapping.dmp

Download
memory/1140-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1140-55-0x0000000074E80000-0x0000000074F03000-memory.dmp

Filesize
524KB

Download
memory/1140-56-0x0000000074E80000-0x0000000074E8F000-memory.dmp

Filesize
60KB

Download
memory/1140-57-0x0000000074E80000-0x0000000074F03000-memory.dmp

Filesize
524KB

Download
memory/1140-58-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads