gozi_ifsb | 53f09461a48f10c95f426cd179106cbe94fba81c498fb7414d6a849470ee777e | Triage

Analysis

max time kernel
154s
max time network
162s
platform
windows7_x64
resource
win7-en-20211208
submitted
16-12-2021 08:40

Sharing

Report Analysis Logs

General

Target

3b7d8109b37e996e06ae68144f37a73c.exe.dll
Size

1.7MB
MD5

3b7d8109b37e996e06ae68144f37a73c
SHA1

9ee1957c39834e9ea87cd72d7f09e9f08e1712d3
SHA256

53f09461a48f10c95f426cd179106cbe94fba81c498fb7414d6a849470ee777e
SHA512

549f93153ae0659dfc4876cb5e7dd3b65316fe5293912bcde2828f014039e7528b854db608653296f277be6bcd1b7a725f846fdf9698390baea2b2636a7d19cc

Score

10^/10

gozi_ifsb 8899 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1552 wrote to memory of 1576	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1576	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1576	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1576	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1576	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1576	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1576	1552	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3b7d8109b37e996e06ae68144f37a73c.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3b7d8109b37e996e06ae68144f37a73c.exe.dll
2⤵
PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1552-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/1576-55-0x0000000000000000-mapping.dmp

Download
memory/1576-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1576-58-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/1576-57-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download