gozi_ifsb | 3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0 | Triage

Analysis

max time kernel
144s
max time network
145s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-12-2021 18:55

Sharing

Report Analysis Logs

General

Target

f685cc7a35c18f8948dfad741d830871.dll
Size

1.7MB
MD5

f685cc7a35c18f8948dfad741d830871
SHA1

34d9e559ee878fc1f7a20ce073a902a81568f67f
SHA256

3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0
SHA512

05b36ebb61cece1881bbe8cb35efcf38d98f2dc8aec71a3e0d262aaeca6466d36637f10ce8409829231bfce356793b8eb27d3c792f9f2283cef19cfce68274d8

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2484 wrote to memory of 2744	2484	regsvr32.exe	regsvr32.exe
PID 2484 wrote to memory of 2744	2484	regsvr32.exe	regsvr32.exe
PID 2484 wrote to memory of 2744	2484	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f685cc7a35c18f8948dfad741d830871.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\f685cc7a35c18f8948dfad741d830871.dll
2⤵
PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-115-0x0000000000000000-mapping.dmp

Download
memory/2744-116-0x00000000030A0000-0x000000000314E000-memory.dmp

Filesize
696KB

Download
memory/2744-117-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download