gozi_ifsb | 3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832

General

Target

3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
Size

345KB
MD5

4da11c829f8fea1b690f317837af8387
SHA1

00c6ce1031f88b5276a5335e68fba663e769dadd
SHA256

3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832
SHA512

dfa1e0fe39a8262d987516556d78e395ea7f01cbbfa471296e9f3352c4ae8b80a3305c21352a8ea67e25bd2047edcb30dfe0c319671f9daab86e79f8a781b2d5

Score

10^/10

gozi_ifsb banker trojan upx

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/388-55-0x00000000013C0000-0x00000000013F6000-memory.dmp	upx
behavioral1/memory/388-56-0x00000000013C0000-0x00000000013F6000-memory.dmp	upx
behavioral1/memory/388-68-0x00000000013C0000-0x00000000013F6000-memory.dmp	upx
behavioral1/memory/1984-72-0x00000000013C0000-0x00000000013F6000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe

description	pid	process	target process
PID 388 set thread context of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe

description	pid	process	target process
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
PID 388 wrote to memory of 1984	388	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe	3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe

C:\Users\Admin\AppData\Local\Temp\3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
"C:\Users\Admin\AppData\Local\Temp\3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe
"C:\Users\Admin\AppData\Local\Temp\3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832.exe"
2⤵
PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/388-55-0x00000000013C0000-0x00000000013F6000-memory.dmp

Filesize
216KB

Download
memory/388-56-0x00000000013C0000-0x00000000013F6000-memory.dmp

Filesize
216KB

Download
memory/388-68-0x00000000013C0000-0x00000000013F6000-memory.dmp

Filesize
216KB

Download
memory/1984-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-66-0x00000000004010E7-mapping.dmp

Download
memory/1984-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-72-0x00000000013C0000-0x00000000013F6000-memory.dmp

Filesize
216KB

Download
memory/1984-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads