gozi_ifsb | 3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276

General

Target

3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
Size

720KB
MD5

5b882d515e43454b747846b57bbecd80
SHA1

982d7e6b734aed22471513907f49306b6a75a4c4
SHA256

3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276
SHA512

761fcc0a7d88e52a62d87a86a02dd66f2a01563589425146bcd6eaef1af823561df34dbf098356f5fc2eef2dc36d3e0f8bf8e8674114d994284b32048562a004

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of SetThreadContext 1 IoCs

Processes:

3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe

description	pid	process	target process
PID 4108 set thread context of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe

description	pid	process	target process
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
PID 4108 wrote to memory of 3732	4108	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe	3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe

C:\Users\Admin\AppData\Local\Temp\3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
"C:\Users\Admin\AppData\Local\Temp\3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe
"C:\Users\Admin\AppData\Local\Temp\3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276.exe"
2⤵
PID:3732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3732-130-0x0000000000000000-mapping.dmp

Download
memory/3732-131-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3732-133-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3732-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3732-135-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing