gozi_ifsb | 18c060619d879aea7d3626644a8a4448ad802f509c26f1ec02837db675c71dc3

Analysis

max time kernel
509s
max time network
511s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2022 23:52

Target

0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked.dll
Size

130KB
MD5

8116be1f07cc1f0de73734ab2818f2ce
SHA1

5caef3f91cee769ae0da9ac6bf8490ab2818c166
SHA256

18c060619d879aea7d3626644a8a4448ad802f509c26f1ec02837db675c71dc3
SHA512

4ef3e18f0da463756f68d2fbb816511a1ddca7e2272848484483bfebd1dc7de84b38fb0ce3d7e62b0054d9498ec018da84101ed0b38d0a9f45789d439d71cde0
SSDEEP

3072:3MJ5t4SXfWnqEQSy/f2qlaleOMG+tuvdBaUafK/msNXfq:cJrXfWnqd2qlalev5uvdBaUxN

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 748 wrote to memory of 3760	748	rundll32.exe	82
PID 748 wrote to memory of 3760	748	rundll32.exe	82
PID 748 wrote to memory of 3760	748	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked.dll,#1
  2⤵
  PID:3760