gozi_ifsb | 24516dd388a074b37feb07fab5a6b790a59a934c01ad8f2c133c70418d835b8c

Analysis

max time kernel
134s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2022 18:45

Target

b51f67e67847ed20c75ef9bc8e057f0d93e2fa62bdf1df1a87d3f772603a59ff.dll
Size

116KB
MD5

098e2b15bb37766a99b7bec04c504b78
SHA1

03ab72c389de1ce28605605a6fa0448802124f78
SHA256

b51f67e67847ed20c75ef9bc8e057f0d93e2fa62bdf1df1a87d3f772603a59ff
SHA512

035583149c9525cfe6a0019d3a64776bba5d483a6c118460d63f89f1bb9b055333401bfae8eb7e2492f34ca1650453bf19b003738b6e3d730db700f8e7095ecf
SSDEEP

3072:F14Nm3YTyii7bLYB0s7+Ec7V6bW2nnW6rifrQc1+lUmT:PvawYB0v72n6rQA+b

Score

10^/10

Family

gozi_ifsb

Botnet

5000

config.edge.skype.com

onlinetwork.top

linetwork.top

Attributes

rsa_pubkey.plain

aes.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2144 wrote to memory of 704	2144	regsvr32.exe	regsvr32.exe
PID 2144 wrote to memory of 704	2144	regsvr32.exe	regsvr32.exe
PID 2144 wrote to memory of 704	2144	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b51f67e67847ed20c75ef9bc8e057f0d93e2fa62bdf1df1a87d3f772603a59ff.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b51f67e67847ed20c75ef9bc8e057f0d93e2fa62bdf1df1a87d3f772603a59ff.dll
  2⤵
  PID:704

memory/704-132-0x0000000000000000-mapping.dmp

Download
memory/704-133-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/704-138-0x0000000003180000-0x000000000318D000-memory.dmp

Filesize
52KB

Download
memory/704-141-0x0000000001250000-0x0000000001255000-memory.dmp

Filesize
20KB

Download