gozi_ifsb | d332ff1e7387b8b4bd81740198bef987b313fea98fc337c3961d3016e4f186ea | Triage

Analysis

max time kernel
118s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-10-2021 10:35

Sharing

Report Analysis Logs

General

Target

6177d99838cea.tar.dll
Size

460KB
MD5

81163259832ea85f7e997e4697bf2bd1
SHA1

3735e357bc81fd825fab5c4e477749766aa8e1b8
SHA256

d332ff1e7387b8b4bd81740198bef987b313fea98fc337c3961d3016e4f186ea
SHA512

99d92a263d1ff9be203dea28862f017b8e9e22cce161ff25d7536f09d3968d0346ace08f6776af829ed92b60eb9600bf6f0df4686661562c5afe48cb9018fbf6

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

http://microsoft.com.login/

https://premiumweare.com

https://gloverunomai.com

Attributes

build
260212
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4040 wrote to memory of 1448	4040	rundll32.exe	rundll32.exe
PID 4040 wrote to memory of 1448	4040	rundll32.exe	rundll32.exe
PID 4040 wrote to memory of 1448	4040	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6177d99838cea.tar.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6177d99838cea.tar.dll,#1
2⤵
PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1448-115-0x0000000000000000-mapping.dmp

Download
memory/1448-116-0x0000000073580000-0x0000000073608000-memory.dmp

Filesize
544KB

Download
memory/1448-117-0x0000000073580000-0x000000007358F000-memory.dmp

Filesize
60KB

Download
memory/1448-118-0x0000000073580000-0x0000000073608000-memory.dmp

Filesize
544KB

Download
memory/1448-119-0x0000000002EA0000-0x0000000002FEA000-memory.dmp

Filesize
1.3MB

Download