gozi_ifsb | baca8e5902477e73f3a217e6556a8daf8c63e45ee4b372e0af1def6e27b03825

Analysis

max time kernel
408s
max time network
412s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-10-2022 23:52

Target

026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44_unpacked.dll
Size

151KB
MD5

c0a6e8e01a824ac7c94aa3f00e154c89
SHA1

70f713ee19d9dbebf85f6d5c5d360ef06a22b8b0
SHA256

baca8e5902477e73f3a217e6556a8daf8c63e45ee4b372e0af1def6e27b03825
SHA512

706c09c652e03a3dc318f0ccab2bfad48acd5c6150af77887424cc6809eddfd3f435a2de0daaacee4dcf394ee9dfa1a368d31569b2b4ecae625dc7c9d90a60f2
SSDEEP

3072:cWz9QzXCA5tqzqDMxa4Yt7hqlalXnRLDVDOWtbLbrMadHIR3ZB5F:cWz9QzXHtqzUMx+ttqlalnOS/rMadsF

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2016 wrote to memory of 1080	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1080	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1080	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1080	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1080	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1080	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1080	2016	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44_unpacked.dll,#1
2⤵
PID:1080

memory/1080-54-0x0000000000000000-mapping.dmp

Download
memory/1080-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download