gozi_ifsb | 466281284c21f14e72173ebc3d11e7c577bd4fcdf71fdeb0a82f87f566019092

Analysis

max time kernel
426s
max time network
428s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 00:07

Target

4b373042809dbc09043c9aa5d2ac7570b91327fc47c8caef918c72ba786f33b4_unpacked.dll
Size

281KB
MD5

e1bd43809540a6e8e4f0fe0a25967ec8
SHA1

ff8fa94257287ce61f0d0bd506d6f3e24c4051bf
SHA256

466281284c21f14e72173ebc3d11e7c577bd4fcdf71fdeb0a82f87f566019092
SHA512

b78ac0cd7e69c1d7df73cceb0feb7d2f4298fa8ff2c0be5ea7520e8fb43156f30a73e43640524c3dd42c6cf4a391f24bc116b198be17a95cdb650294dcde8242
SSDEEP

6144:nR3xMuDPZlxVMqlalkZWsu3dbEOdYfB1yYgaoObkC7SnIAzP4rMX:J3DMqglko1pBYmYacp7SnIQ1X

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 536 wrote to memory of 1112	536	rundll32.exe	28
PID 536 wrote to memory of 1112	536	rundll32.exe	28
PID 536 wrote to memory of 1112	536	rundll32.exe	28
PID 536 wrote to memory of 1112	536	rundll32.exe	28
PID 536 wrote to memory of 1112	536	rundll32.exe	28
PID 536 wrote to memory of 1112	536	rundll32.exe	28
PID 536 wrote to memory of 1112	536	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b373042809dbc09043c9aa5d2ac7570b91327fc47c8caef918c72ba786f33b4_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b373042809dbc09043c9aa5d2ac7570b91327fc47c8caef918c72ba786f33b4_unpacked.dll,#1
  2⤵
  PID:1112

memory/1112-54-0x0000000000000000-mapping.dmp

Download
memory/1112-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download