gozi_ifsb | bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211104
submitted
22-11-2021 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39e97bde83db04c795d18b8f67e19ea.dll
Size

133KB
MD5

b39e97bde83db04c795d18b8f67e19ea
SHA1

d790b9fc4b6e37035357f1bcf3948b66c6931f15
SHA256

bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf
SHA512

23839fbd59a5cefe9092e210a8abec08999f51a033f0ee44e6e008a4e6bf74b91eb6498b6ab756cc2bda242149c3a382a7cd0ad0d7c783ec3f48f7c95128fc54

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

microsoft.com/windowsdisabler

https://technoshoper.com

https://avolebukoneh.website

http://technoshoper.com

http://avolebukoneh.website

Attributes

build
260216
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1600 wrote to memory of 556	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 556	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 556	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 556	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 556	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 556	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 556	1600	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b39e97bde83db04c795d18b8f67e19ea.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b39e97bde83db04c795d18b8f67e19ea.dll
2⤵
PID:556

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-56-0x0000000000000000-mapping.dmp

Download
memory/556-57-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/556-58-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1600-55-0x000007FEFB961000-0x000007FEFB963000-memory.dmp

Filesize
8KB

Download