gozi_ifsb | 4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 12:19

Target

4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba.dll
Size

116KB
MD5

17ddc738604a040176b85c80173c5090
SHA1

75db1976ccc16912d4f1d4fc68b8c8975ad39ac4
SHA256

4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba
SHA512

1b9328608a3347822168d3a57d5b2cf7c52bb0f60aa76456409f33029cae22e89a5692d54b29e6c581b287a7376f066382eda3d6a2443389358f6bb40d19a483
SSDEEP

3072:q14Nm3YTyGi7bLYB0s7+Ec7V6bW2nnW6rifrQc1+lUmT:CvOwYB0v72n6rQA+b

Score

10^/10

Family

gozi_ifsb

Botnet

5000

config.edge.skype.com

onlinetwork.top

linetwork.top

Attributes

rsa_pubkey.plain

aes.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 600	1472	regsvr32.exe	27
PID 1472 wrote to memory of 600	1472	regsvr32.exe	27
PID 1472 wrote to memory of 600	1472	regsvr32.exe	27
PID 1472 wrote to memory of 600	1472	regsvr32.exe	27
PID 1472 wrote to memory of 600	1472	regsvr32.exe	27
PID 1472 wrote to memory of 600	1472	regsvr32.exe	27
PID 1472 wrote to memory of 600	1472	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba.dll
  2⤵
  PID:600

memory/600-56-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/600-57-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/600-62-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/600-63-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/1472-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download