gozi_ifsb | 5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca

Analysis

max time kernel
115s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
Size

382KB
MD5

8ede3ace8c115bd3a4fd26bd23c35422
SHA1

a4662431d9c9df3df2eff18bdc5a447ece712e35
SHA256

5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca
SHA512

9b432eb1e20218ada551c20679acaa73547f28bd4f893f84229701b6e2a3fd381fdd9d52d410d392ab27a7a5710f649c56da0eca9120e653c8f90f9c70c00984

Score

10^/10

gozi_ifsb 1010 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

sys.cozmoattire.com/bcms/assets/img

sys.nahualbrand.com/bcms/assets/img

sys.devaneyengineering.com/bcms/assets/img

sys.3earth.us/bcms/assets/img

sys.tartsandcraftsshop.com/bcms/assets/img

lansystemstat.com/bcms/assets/img

highnetwork.pw/bcms/assets/img

lostnetwork.in/bcms/assets/img

sysconnections.net/bcms/assets/img

lansupports.com/bcms/assets/img

Attributes

exe_type
worker
server_id
35

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of SetThreadContext 1 IoCs

Processes:

5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe

description	pid	process	target process
PID 4492 set thread context of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe

description	pid	process	target process
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
PID 4492 wrote to memory of 3044	4492	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe	5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe

C:\Users\Admin\AppData\Local\Temp\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
"C:\Users\Admin\AppData\Local\Temp\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Local\Temp\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe
"C:\Users\Admin\AppData\Local\Temp\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.exe"
2⤵
PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3044-130-0x0000000000000000-mapping.dmp

Download
memory/3044-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3044-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3044-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3044-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download