gozi_ifsb | 9ef7ed2350cf20e7180d5cf9a2e0cf9a8a9298aa472ad50190a9e61689d769b9

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211104
submitted
22-11-2021 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c464402d432fe5c664c78ebaaed208.dll
Size

122KB
MD5

d1c464402d432fe5c664c78ebaaed208
SHA1

c515b9649533481c2a189897ac22d5b7b74432b9
SHA256

9ef7ed2350cf20e7180d5cf9a2e0cf9a8a9298aa472ad50190a9e61689d769b9
SHA512

3b3e5675a7d24400718386393bb42d35d5dd3fc9b3fb86456971c621b2146baa8384434ca27f50c1e1fff4ffd4d4124c8b922d74e4fcd51243b989eaa3764b62

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

microsoft.com/windowsdisabler

https://technoshoper.com

https://avolebukoneh.website

http://technoshoper.com

http://avolebukoneh.website

Attributes

build
260216
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 320 wrote to memory of 572	320	regsvr32.exe	regsvr32.exe
PID 320 wrote to memory of 572	320	regsvr32.exe	regsvr32.exe
PID 320 wrote to memory of 572	320	regsvr32.exe	regsvr32.exe
PID 320 wrote to memory of 572	320	regsvr32.exe	regsvr32.exe
PID 320 wrote to memory of 572	320	regsvr32.exe	regsvr32.exe
PID 320 wrote to memory of 572	320	regsvr32.exe	regsvr32.exe
PID 320 wrote to memory of 572	320	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d1c464402d432fe5c664c78ebaaed208.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\d1c464402d432fe5c664c78ebaaed208.dll
2⤵
PID:572

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/572-56-0x0000000000000000-mapping.dmp

Download
memory/572-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/572-58-0x0000000000180000-0x000000000018F000-memory.dmp

Filesize
60KB

Download