gozi_ifsb | 627eb63f8ad3da2b0e9e440379c3eea989d33a4470141cba80f8e199051cf188 | Triage

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211104
submitted
30-11-2021 13:20

Sharing

Report Analysis Logs

General

Target

627eb63f8ad3da2b0e9e440379c3eea989d33a4470141cba80f8e199051cf188.dll
Size

133KB
MD5

099933e55bc8d3f2b674b737f8a533c9
SHA1

a7841a275c957e007ed20b088455c577bbe88c40
SHA256

627eb63f8ad3da2b0e9e440379c3eea989d33a4470141cba80f8e199051cf188
SHA512

7b04ed8fc6892deb6c571d54c306e94ed5082644555ff74e3a3d8cd83459d49366075c3c770e7ce720176c09162d01a67ebe6e565ffb4619ac4ea5627a800fe6

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

bvolebukoneh.site

karfaganda.com

Attributes

build
260216
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1408 wrote to memory of 320	1408	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 320	1408	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 320	1408	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 320	1408	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 320	1408	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 320	1408	regsvr32.exe	regsvr32.exe
PID 1408 wrote to memory of 320	1408	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\627eb63f8ad3da2b0e9e440379c3eea989d33a4470141cba80f8e199051cf188.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\627eb63f8ad3da2b0e9e440379c3eea989d33a4470141cba80f8e199051cf188.dll
2⤵
PID:320

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-56-0x0000000000000000-mapping.dmp

Download
memory/320-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/320-59-0x00000000001A0000-0x0000000000220000-memory.dmp

Filesize
512KB

Download
memory/1408-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download