gozi_ifsb | 8f409a0d417462b342281b3f869a397ed4f5b8fd5841d140c8c57e7df39ff4b0

Resubmissions

26-10-2021 19:46

Target

b76097aaa0ca490e5eb6b5a2dd13c5bc.dll
Size

549KB
MD5

b76097aaa0ca490e5eb6b5a2dd13c5bc
SHA1

9920ece38424d7902ffb7c28ae1b5c0d33e19aa8
SHA256

8f409a0d417462b342281b3f869a397ed4f5b8fd5841d140c8c57e7df39ff4b0
SHA512

16457a472ae064ccb3f8dc2e2d3231380c58c607f947a0570ac2a0cb54babbb27f542a778f367bcf81f15715da6378525b0e6e4fc10e2b571051a1bf8e3edb37

Score

10^/10

Family

gozi_ifsb

Botnet

8899

http://microsoft.com.login/

https://premiumweare.com

https://gloverunomai.com

Attributes

rsa_pubkey.plain

serpent.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata

Blocklisted process makes network request 14 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4092 wrote to memory of 4076	4092	rundll32.exe	rundll32.exe
PID 4092 wrote to memory of 4076	4092	rundll32.exe	rundll32.exe
PID 4092 wrote to memory of 4076	4092	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b76097aaa0ca490e5eb6b5a2dd13c5bc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b76097aaa0ca490e5eb6b5a2dd13c5bc.dll,#1
2⤵
- Blocklisted process makes network request
PID:4076

memory/4076-115-0x0000000000000000-mapping.dmp

Download
memory/4076-116-0x0000000074010000-0x00000000740AB000-memory.dmp

Filesize
620KB

Download
memory/4076-117-0x0000000074010000-0x000000007401F000-memory.dmp

Filesize
60KB

Download
memory/4076-118-0x0000000074010000-0x00000000740AB000-memory.dmp

Filesize
620KB

Download
memory/4076-119-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download