gozi_ifsb | 26c434ac54b9c21dfd6a43878089bcaf96615f65470042c911416aff1c4e9e8d | Triage

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-06-2022 07:24

Sharing

Report Analysis Logs

General

Target

26c434ac54b9c21dfd6a43878089bcaf96615f65470042c911416aff1c4e9e8d.dll
Size

627KB
MD5

b1dcafe393e89ec13270932ad8f868e7
SHA1

0c42f80d31d767007290ca51b866dc90622cd309
SHA256

26c434ac54b9c21dfd6a43878089bcaf96615f65470042c911416aff1c4e9e8d
SHA512

465a4a690fdb7087d1801fb81101e4f69811a7f7068f191e3df0b0375931e907ad9475ceabbf46a0ea41749b695ba21f6202aa31bcaa40d41c4f0cd9462ab076

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1596 800 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 800 wrote to memory of 1596	800	rundll32.exe	WerFault.exe
PID 800 wrote to memory of 1596	800	rundll32.exe	WerFault.exe
PID 800 wrote to memory of 1596	800	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26c434ac54b9c21dfd6a43878089bcaf96615f65470042c911416aff1c4e9e8d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 800 -s 228
2⤵
- Program crash
PID:1596

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-54-0x0000000000000000-mapping.dmp

Download