gozi_ifsb | 3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376

General

Target

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
Size

324KB
MD5

3c2200577d658460f4c66ddfd28685ef
SHA1

f807aeb04fb44b52b0a2c5a5eb12485d3f410777
SHA256

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376
SHA512

1f73bcf3025698cf28fcc634673a7adf4ade128f37fec26f036258e779781b5b2e77403a870c104a080240ffed616cb6416d2f5c4c391de42cd38f58dcd3c9a8

Score

10^/10

gozi_ifsb banker trojan upx

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1792-55-0x00000000003D0000-0x00000000003FB000-memory.dmp	upx
behavioral1/memory/1792-56-0x00000000003D0000-0x00000000003FB000-memory.dmp	upx
behavioral1/memory/1792-67-0x00000000003D0000-0x00000000003FB000-memory.dmp	upx
behavioral1/memory/2036-72-0x00000000003D0000-0x00000000003FB000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

description	pid	process	target process
PID 1792 set thread context of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

description	pid	process	target process
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 1792 wrote to memory of 2036	1792	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
"C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
"C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe"
2⤵
PID:2036

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1792-55-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/1792-56-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/1792-67-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2036-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-66-0x00000000004010E7-mapping.dmp

Download
memory/2036-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-72-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2036-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads