gozi_ifsb | ffde622e1ebf2ded6fe1ad3e22a1ea11c3b3944eac2278277ca186facc4457bf

Analysis

max time kernel
447s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2022 00:07

Target

3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5_unpacked.dll
Size

154KB
MD5

47ff8d660f5e9f9f3fe90f1e87403538
SHA1

07238187fe576b022a149172cb1653625c377cd2
SHA256

ffde622e1ebf2ded6fe1ad3e22a1ea11c3b3944eac2278277ca186facc4457bf
SHA512

571a5220f2757b872a63b4c42b5682fdfbc8bd391522d0d4eef611b55a5ca0c6a2253ee1075f260ad2db083722bb63d18aa02f2d6d76d4f5f604217be5aea375
SSDEEP

3072:FOt39ZNj9tlzA458K4cs04gZqNWFzSPeuwDqlalXn/fDXqJj0oy9oV13:ytZN9gCs0uNWFziwDqlalvDqJd

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4584 wrote to memory of 912	4584	rundll32.exe	rundll32.exe
PID 4584 wrote to memory of 912	4584	rundll32.exe	rundll32.exe
PID 4584 wrote to memory of 912	4584	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5_unpacked.dll,#1
2⤵
PID:912