gozi_ifsb | 79d05091b567d313993b547eb379119a1e00bb0cb6716f932a1f1bf7f0058695

Analysis

max time kernel
424s
max time network
427s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-10-2022 23:52

Target

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked.dll
Size

145KB
MD5

3170f0ed199177fc13d6a86e7a6b0bb3
SHA1

e79195224a6fbf4bd6a442add27f25029317b08b
SHA256

79d05091b567d313993b547eb379119a1e00bb0cb6716f932a1f1bf7f0058695
SHA512

54f03f11b4d76e6ce3928a70c53942370ca23b8bd2c2d2f92079272a031deafe5187b3e7ef57b45e3374c36b3e9a10a4d3c40bec85bc2f8ada701c58ec0b55a3
SSDEEP

3072:U9MfvS8o2a/wSpiED+hqlalXnmdU09UY+kyGOUruRyipj:2wvS8RMD8qlalMZ+kGU

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 988 wrote to memory of 368	988	rundll32.exe	rundll32.exe
PID 988 wrote to memory of 368	988	rundll32.exe	rundll32.exe
PID 988 wrote to memory of 368	988	rundll32.exe	rundll32.exe
PID 988 wrote to memory of 368	988	rundll32.exe	rundll32.exe
PID 988 wrote to memory of 368	988	rundll32.exe	rundll32.exe
PID 988 wrote to memory of 368	988	rundll32.exe	rundll32.exe
PID 988 wrote to memory of 368	988	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked.dll,#1
2⤵
PID:368

memory/368-54-0x0000000000000000-mapping.dmp

Download
memory/368-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download