gozi_ifsb | 42eac4473d3da23a10f9509b8758c6bab2f7bd31a572f4837e7214594ed98af9

Analysis

Target

42eac4473d3da23a10f9509b8758c6bab2f7bd31a572f4837e7214594ed98af9.dll
Size

350KB
MD5

23e292c05d33fecac68beb941399608c
SHA1

1711489c5d9995c080f04db3c8ee26aa0509eded
SHA256

42eac4473d3da23a10f9509b8758c6bab2f7bd31a572f4837e7214594ed98af9
SHA512

4e8784a8d8df976d41fbd747f496d0c09fd4853f55ba0fe7590ab394caebe8b02acb0225e2f3e3ea2364c053556ab87a0f2d20f77a69678127ab9f5bfbf7dff5

Score

10^/10

Family

gozi_ifsb

Botnet

2500

apt.updateffboruse.com

app.updatebrouser.com

Attributes

rsa_pubkey.plain

aes.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1552 wrote to memory of 368	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 368	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 368	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 368	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 368	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 368	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 368	1552	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42eac4473d3da23a10f9509b8758c6bab2f7bd31a572f4837e7214594ed98af9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42eac4473d3da23a10f9509b8758c6bab2f7bd31a572f4837e7214594ed98af9.dll,#1
2⤵
PID:368

memory/368-55-0x0000000000000000-mapping.dmp

Download
memory/368-56-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/368-57-0x0000000074F60000-0x0000000074FC5000-memory.dmp

Filesize
404KB

Download
memory/368-58-0x0000000074F60000-0x0000000074F6D000-memory.dmp

Filesize
52KB

Download
memory/368-59-0x0000000074F60000-0x0000000074FC5000-memory.dmp

Filesize
404KB

Download
memory/368-60-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download