gozi_ifsb | 09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285 | Triage

Resubmissions

27-10-2021 11:33

211027-npbnjseeh6 10

04-02-2021 15:53

210204-ry8nav1e26 10

22-01-2021 18:03

210122-wbsmxw8v7s 10

Analysis

max time kernel
2s
max time network
14s
submitted
01-01-1970 00:00

Sharing

Report Analysis Logs

General

Target

out.dll
Size

95KB
MD5

2ff0ff62b5cf7e7097f75a37492f02f8
SHA1

9d60d24299762f4aa7fa71838b58e4e747b95df6
SHA256

09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
SHA512

dc9a5422b9f49910db2ad66d4b4d010fb538e6c12e214c33b4b5ee3c5b96591d251b17d9ff99a7dea83b25b62e6ec521a7292471f42def6cb00b2fa139a9eea6

Score

10^/10

gozi_ifsb 1100 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1100

C2

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1652	1560	rundll32.exe	28
PID 1560 wrote to memory of 1652	1560	rundll32.exe	28
PID 1560 wrote to memory of 1652	1560	rundll32.exe	28
PID 1560 wrote to memory of 1652	1560	rundll32.exe	28
PID 1560 wrote to memory of 1652	1560	rundll32.exe	28
PID 1560 wrote to memory of 1652	1560	rundll32.exe	28
PID 1560 wrote to memory of 1652	1560	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#1
  2⤵
  PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-53-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1652-55-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download