gozi_ifsb | 15a7c3abd4f124afbf01c289a1604826ef5cec3646ef0a7db57cba8154bbc225

Analysis

max time kernel
405s
max time network
408s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-10-2022 23:52

Target

2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7_unpacked.dll
Size

157KB
MD5

1ed3800b65c1be3e6f22f4b9c26007a8
SHA1

3cad6efd700630671aa93bcca6b448b067f0be23
SHA256

15a7c3abd4f124afbf01c289a1604826ef5cec3646ef0a7db57cba8154bbc225
SHA512

2a5cd6b58e53385044119e45ba517074f6f7fa03e2cb2611c97550daf078a7ac7b0d3617153043888db0166bb3a66ce9e601e3d619297874ac4a02944497fd8a
SSDEEP

3072:8Gs0Ma2hadNwxuGzYpjG7zqlalXn8Zt4qPiLiNmQiqSD8JGGzX5KlKV15uZ:8GFMawdxuGzYpEqlalMAqPitQCDM/XNg

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7_unpacked.dll,#1
  2⤵
  PID:780

memory/780-54-0x0000000000000000-mapping.dmp

Download
memory/780-55-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download