gozi_ifsb | 3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376

General

Target

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
Size

324KB
MD5

3c2200577d658460f4c66ddfd28685ef
SHA1

f807aeb04fb44b52b0a2c5a5eb12485d3f410777
SHA256

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376
SHA512

1f73bcf3025698cf28fcc634673a7adf4ade128f37fec26f036258e779781b5b2e77403a870c104a080240ffed616cb6416d2f5c4c391de42cd38f58dcd3c9a8

Score

10^/10

gozi_ifsb banker trojan upx

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4984-130-0x00000000002F0000-0x000000000031B000-memory.dmp	upx
behavioral2/memory/4984-131-0x00000000002F0000-0x000000000031B000-memory.dmp	upx
behavioral2/memory/4984-136-0x00000000002F0000-0x000000000031B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

description	pid	process	target process
PID 4984 set thread context of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

description	pid	process	target process
PID 4984 wrote to memory of 2952	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2952	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2952	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
PID 4984 wrote to memory of 2228	4984	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe	3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe

C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
"C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
"C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe"
2⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe
"C:\Users\Admin\AppData\Local\Temp\3cbcd861a82da68fa0392c4ca825061feb759986cdbf633508309ae84fcee376.exe"
2⤵
PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2228-133-0x0000000000000000-mapping.dmp

Download
memory/2228-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-132-0x0000000000000000-mapping.dmp

Download
memory/4984-130-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download
memory/4984-131-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download
memory/4984-136-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads