gozi_ifsb | e260986851f2d054fd9833ad516165a2f655fb7a94fae2c10baa6cd0881bfbd2

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-en-20211104
submitted
22-11-2021 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619b70ad91f7d.tiff.dll
Size

121KB
MD5

65c1848557361db4f22649ba842fe348
SHA1

0bfe9c418da335bf7db6e8b6b96ef1755d83eba9
SHA256

e260986851f2d054fd9833ad516165a2f655fb7a94fae2c10baa6cd0881bfbd2
SHA512

19291da788d8e87d5a18c7fb4116070625084095d4c6e32fa879cf6922628a948e6a3682de0fe396f58fc9d0a9cf816805aadaf76457222b3f62769672a83d0a

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

microsoft.com/windowsdisabler

https://technoshoper.com

https://avolebukoneh.website

http://technoshoper.com

http://avolebukoneh.website

Attributes

build
260216
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1392 wrote to memory of 652	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 652	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 652	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 652	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 652	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 652	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 652	1392	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\619b70ad91f7d.tiff.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\619b70ad91f7d.tiff.dll
2⤵
PID:652

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-56-0x0000000000000000-mapping.dmp

Download
memory/652-57-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/652-58-0x00000000001B0000-0x00000000001BF000-memory.dmp

Filesize
60KB

Download
memory/1392-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download