gozi_ifsb | f370ff21c450924ef96d5a78576693c6139ce208c270a45178c9ecbf3637ffb7

Analysis

max time kernel
52s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845.dll
Size

364KB
MD5

32a1ba8b559bf66052bc2eac774696ad
SHA1

8aacf9a09a59b703d9f24afc16188eb097f32710
SHA256

1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845
SHA512

683605a70b1c808430c7f5fea10ab23fa7e064afb2bf2f8b87aeeb1cc3c71732245b9533c421125fc89a35f9020a5a88d5be6886b16a9bfb64c2118fb38bc311
SSDEEP

6144:dMMEq6F3ZmdajnNFNxGYl67WJJW5ZtxfkUWHO8QzzAc:dMMEq6l1jNHxGdyJ0XfGHWzAc

Score

10^/10

gozi_ifsb 1500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

app10.laptok.at

apt.feel500.at

init.in100k.at

Attributes

build
250188
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1504 wrote to memory of 1536	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 1536	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 1536	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 1536	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 1536	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 1536	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 1536	1504	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845.dll
2⤵
PID:1536

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1536-55-0x0000000000000000-mapping.dmp

Download
memory/1536-56-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1536-57-0x00000000747E0000-0x00000000747ED000-memory.dmp

Filesize
52KB

Download
memory/1536-58-0x00000000747E0000-0x0000000074D49000-memory.dmp

Filesize
5.4MB

Download
memory/1536-59-0x00000000747E0000-0x0000000074D49000-memory.dmp

Filesize
5.4MB

Download
memory/1536-60-0x00000000747E0000-0x0000000074D49000-memory.dmp

Filesize
5.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads