gozi_ifsb | f7d8d6786f0665412998662ed0fe90bb9cf165caf878d236637a055106eeaf9e | Triage

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211104
submitted
30-11-2021 18:46

Sharing

Report Analysis Logs

General

Target

0a0b68ae75cac98bb3ebf8cdd35b63cf.dll
Size

118KB
MD5

0a0b68ae75cac98bb3ebf8cdd35b63cf
SHA1

535d02eeace5fec8f92594a07d7fc55aec472c47
SHA256

f7d8d6786f0665412998662ed0fe90bb9cf165caf878d236637a055106eeaf9e
SHA512

5060c9559d3d37cb616f3d9fe6367ba8a2fe31ad11f2a342c5e6a7150e52ab4cbd35967e9ede9f8c3ee55030c7239a32f44c3c8d5abc6c0c6072c374645d589e

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

bvolebukoneh.site

karfaganda.com

Attributes

build
260216
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 616 wrote to memory of 952	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 952	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 952	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 952	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 952	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 952	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 952	616	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0a0b68ae75cac98bb3ebf8cdd35b63cf.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0a0b68ae75cac98bb3ebf8cdd35b63cf.dll
2⤵
PID:952

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-55-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/952-57-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/952-58-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download