gozi_ifsb | 9302114a292d350c4b14f27d8b5b3c89f42c922b6ae99fa62ef6006092e1937d

Analysis

max time kernel
508s
max time network
511s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2022 23:52

Target

056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked.dll
Size

252KB
MD5

d99789bc4f6d3ffa201d6ea46a20966a
SHA1

05ab1c70cd0ff6adcf7a2f6198aa546a2e2d1a2f
SHA256

9302114a292d350c4b14f27d8b5b3c89f42c922b6ae99fa62ef6006092e1937d
SHA512

bee09209a2c9a723d14a96999ef8d481b28117c7f64fad627abb3ff710678ba1d0f2c89d2d47958b95512570d85c0efbbef5e8240a5218f37150c1650926dace
SSDEEP

6144:5CIBILZgwtxqlal2qG1C5mIaISMFZim9PS8dggzLh7Kg0vn8tT:iLZgwtxqgl2dfISMFn9J7h7qvy

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4960 wrote to memory of 1260	4960	rundll32.exe	rundll32.exe
PID 4960 wrote to memory of 1260	4960	rundll32.exe	rundll32.exe
PID 4960 wrote to memory of 1260	4960	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked.dll,#1
  2⤵
  PID:1260