gozi_ifsb | 15a7c3abd4f124afbf01c289a1604826ef5cec3646ef0a7db57cba8154bbc225

Analysis

max time kernel
492s
max time network
495s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2022 23:52

Target

2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7_unpacked.dll
Size

157KB
MD5

1ed3800b65c1be3e6f22f4b9c26007a8
SHA1

3cad6efd700630671aa93bcca6b448b067f0be23
SHA256

15a7c3abd4f124afbf01c289a1604826ef5cec3646ef0a7db57cba8154bbc225
SHA512

2a5cd6b58e53385044119e45ba517074f6f7fa03e2cb2611c97550daf078a7ac7b0d3617153043888db0166bb3a66ce9e601e3d619297874ac4a02944497fd8a
SSDEEP

3072:8Gs0Ma2hadNwxuGzYpjG7zqlalXn8Zt4qPiLiNmQiqSD8JGGzX5KlKV15uZ:8GFMawdxuGzYpEqlalMAqPitQCDM/XNg

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2468 wrote to memory of 3692	2468	rundll32.exe	rundll32.exe
PID 2468 wrote to memory of 3692	2468	rundll32.exe	rundll32.exe
PID 2468 wrote to memory of 3692	2468	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7_unpacked.dll,#1
  2⤵
  PID:3692