gozi_ifsb | 642c7b965505ad416589c0ae31ad737b198517e065eb8d9f65073cbcbe40a130

Analysis

max time kernel
477s
max time network
430s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 00:07

Target

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_x64.dll
Size

186KB
MD5

b66655073329e82bc7c70dfc3b8d9072
SHA1

7de7bbff2ae7b9e6bfe65546c40ad675a03dd36b
SHA256

642c7b965505ad416589c0ae31ad737b198517e065eb8d9f65073cbcbe40a130
SHA512

d59ccf7106c9c2d73388cf479ed44572c16c128b249783153da5ad9b7446c4bef6d8cb558293a7891443f73e71a169bb385a6ce2a65e216cca8ca94e24ec87ec
SSDEEP

3072:+IrsCMRP7NViyWcrdfcP5hmhLGbHz2k/xetTogGyzTiAh3/aOJVlkJ:+IrN+JViy3dfcuLGbaptTogGutaOFkJ

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 1256 Explorer.EXE
Token: SeShutdownPrivilege 1256 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE

pid	process
1256	Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1256	Explorer.EXE
Token: SeShutdownPrivilege	1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1336 wrote to memory of 1256	1336	rundll32.exe	Explorer.EXE
PID 1336 wrote to memory of 1256	1336	rundll32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1256
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_x64.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336