gozi_ifsb | 18c060619d879aea7d3626644a8a4448ad802f509c26f1ec02837db675c71dc3

Analysis

max time kernel
414s
max time network
418s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26/10/2022, 23:52

Target

0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked.dll
Size

130KB
MD5

8116be1f07cc1f0de73734ab2818f2ce
SHA1

5caef3f91cee769ae0da9ac6bf8490ab2818c166
SHA256

18c060619d879aea7d3626644a8a4448ad802f509c26f1ec02837db675c71dc3
SHA512

4ef3e18f0da463756f68d2fbb816511a1ddca7e2272848484483bfebd1dc7de84b38fb0ce3d7e62b0054d9498ec018da84101ed0b38d0a9f45789d439d71cde0
SSDEEP

3072:3MJ5t4SXfWnqEQSy/f2qlaleOMG+tuvdBaUafK/msNXfq:cJrXfWnqd2qlalev5uvdBaUxN

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1396	1244	rundll32.exe	27
PID 1244 wrote to memory of 1396	1244	rundll32.exe	27
PID 1244 wrote to memory of 1396	1244	rundll32.exe	27
PID 1244 wrote to memory of 1396	1244	rundll32.exe	27
PID 1244 wrote to memory of 1396	1244	rundll32.exe	27
PID 1244 wrote to memory of 1396	1244	rundll32.exe	27
PID 1244 wrote to memory of 1396	1244	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked.dll,#1
  2⤵
  PID:1396

memory/1396-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download