gozi_ifsb | 61619f607468718ff0d2bbae65a9f5b41226affc95d4ef59b6558e3e2c4ad467

Analysis

max time kernel
428s
max time network
431s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-10-2022 23:52

Target

07658c673d6fef7c467c279eaacb5387b991cbdf82f0b5695a8d9117102db3fb_unpacked.dll
Size

285KB
MD5

312ccaa9ff8f39d698c083fd3aabfd5c
SHA1

76248e2ddbd9b2b1084a08a86bcc19ac1e2731d9
SHA256

61619f607468718ff0d2bbae65a9f5b41226affc95d4ef59b6558e3e2c4ad467
SHA512

e7dd2c2724153c1146fbc3cb34ac7fb3d5a7ee1a800f3def99c685884346092354d7217c0a16939cf5b558e61bf2b1b3ed81b0534382c37691febc1bb42ec467
SSDEEP

6144:qpEmN0twjkjnSQKUb2iyBSvlXwu8dB1pvqlalMcDTcyyi:/E0CkjS0b7vvK1pvqgl7DTj

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1988 wrote to memory of 2008	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 2008	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 2008	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 2008	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 2008	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 2008	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 2008	1988	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07658c673d6fef7c467c279eaacb5387b991cbdf82f0b5695a8d9117102db3fb_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07658c673d6fef7c467c279eaacb5387b991cbdf82f0b5695a8d9117102db3fb_unpacked.dll,#1
2⤵
PID:2008

memory/2008-54-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download