gozi_ifsb | ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6

Analysis

max time kernel
56s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 21:58

Target

ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe
Size

149KB
MD5

d11e42adad914c3ba95a4d54153a20d0
SHA1

12ec8bd57957135869f51ac40fb573fd15f40565
SHA256

ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6
SHA512

69e143143e7c6b1d03caf9a60587a800e4d7a982757dbc0335867947a3fee77730f719d975ca2b28c827ed9f9e3a7787284169c1423b13a4d918262d032abbc6

Score

10^/10

Family

gozi_ifsb

Attributes

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1568 1416 WerFault.exe ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe

pid	pid_target	process	target process
1568	1416	WerFault.exe	ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe

description	pid	process	target process
PID 1416 wrote to memory of 1568	1416	ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe	WerFault.exe
PID 1416 wrote to memory of 1568	1416	ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe	WerFault.exe
PID 1416 wrote to memory of 1568	1416	ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe	WerFault.exe
PID 1416 wrote to memory of 1568	1416	ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe
"C:\Users\Admin\AppData\Local\Temp\ab69f7e7b8d82c34676782f9db23194f96c95dff279ada81daefd1f5cfe113d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 204
2⤵
- Program crash
PID:1568

memory/1416-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1416-55-0x0000000001060000-0x000000000111F000-memory.dmp

Filesize
764KB

Download
memory/1416-57-0x0000000001060000-0x000000000111F000-memory.dmp

Filesize
764KB

Download
memory/1416-56-0x0000000001060000-0x000000000106E000-memory.dmp

Filesize
56KB

Download
memory/1416-59-0x0000000001060000-0x000000000111F000-memory.dmp

Filesize
764KB

Download
memory/1568-58-0x0000000000000000-mapping.dmp

Download