gozi_ifsb | b467220263eeecd1540d6dd9fb7ae1d4d7a0b14cabd14d66231a5c10f8fb4205

Analysis

max time kernel
112s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2022 12:27

Target

b467220263eeecd1540d6dd9fb7ae1d4d7a0b14cabd14d66231a5c10f8fb4205.dll
Size

511KB
MD5

b168b018582b096d8cdeb8e1ebc5f6b2
SHA1

5dc6b11fc92b846963a15089cf00da43426e6f03
SHA256

b467220263eeecd1540d6dd9fb7ae1d4d7a0b14cabd14d66231a5c10f8fb4205
SHA512

9db9847ef5f8b45ee1bd347cc36c6e6cd6cd5e3e3d39f1c768ce8b9bd04ada52902e86ace8d2b20acc06955131bc1d3f941998e1486732c9a92e8fd1526f8f27
SSDEEP

6144:ATZBx+7jsPTl/N80J849j3si2Hw2Kfl0OA5P1rh/YwOnhu58jT7FWQ+ICBFQ5jym:WZP+7jsZS0r59Qw3RxjkePx

Score

10^/10

Family

gozi_ifsb

Botnet

3000

config.edge.skype.com

89.41.26.99

89.45.4.102

interstarts.top

superlist.top

internetcoca.in

Attributes

rsa_pubkey.plain

aes.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 4820 wrote to memory of 4984	4820	regsvr32.exe	81
PID 4820 wrote to memory of 4984	4820	regsvr32.exe	81
PID 4820 wrote to memory of 4984	4820	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b467220263eeecd1540d6dd9fb7ae1d4d7a0b14cabd14d66231a5c10f8fb4205.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b467220263eeecd1540d6dd9fb7ae1d4d7a0b14cabd14d66231a5c10f8fb4205.dll
  2⤵
  PID:4984

memory/4984-132-0x0000000000000000-mapping.dmp

Download
memory/4984-133-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/4984-138-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/4984-139-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download