Malware Analysis Report

2025-08-05 13:07

Sample ID 220323-t7qs3sdebm
Target 00000001.dll
SHA256 93ba5e117699976d0df8512ca37262af3dbb68897fc50167bacef1930c64816f
Tags
gozi_ifsb 6000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93ba5e117699976d0df8512ca37262af3dbb68897fc50167bacef1930c64816f

Threat Level: Known bad

The file 00000001.dll was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 6000 banker trojan

Gozi, Gozi IFSB

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-03-23 16:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 16:42

Reported

2022-03-23 16:45

Platform

win7-20220311-en

Max time kernel

4294211s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\00000001.dll,#1

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\00000001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\00000001.dll,#1

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc8

Network

N/A

Files

memory/1808-54-0x0000000000000000-mapping.dmp

memory/1808-55-0x0000000075081000-0x0000000075083000-memory.dmp

memory/1808-56-0x0000000000240000-0x00000000002D0000-memory.dmp

memory/1808-59-0x0000000000240000-0x00000000002D0000-memory.dmp

memory/1808-58-0x0000000000240000-0x000000000024D000-memory.dmp

memory/1808-60-0x0000000000240000-0x00000000002D0000-memory.dmp

memory/1160-61-0x000007FEFB551000-0x000007FEFB553000-memory.dmp