gozi_ifsb | a08b6bd2b9d190017e68c7d032065e6fe0f169fd9400e5589ffe5de82fcf3646

Analysis

max time kernel
411s
max time network
414s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 00:07

Target

514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54_unpacked.dll
Size

247KB
MD5

42bec6ebbf72c0c13f7d0430fdec6a83
SHA1

fe52ac86deecae98d7f9c452360a19c909b301ea
SHA256

a08b6bd2b9d190017e68c7d032065e6fe0f169fd9400e5589ffe5de82fcf3646
SHA512

cfb61d4f2a9041d7f55e74fd0b4a0c0df1612aa059b06e9be54064cefac25615ac082b16979c50b86f7ab5b62be52400a37a5f83543a88e18764c86299582c52
SSDEEP

6144:INDg0fYEB+SMqV8qlalvaRFhlRaPBGlwCAkuKdgN940OiB:IhB+SfV8qgliBloGlEpf

Score

10^/10

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 360 wrote to memory of 1108	360	rundll32.exe	rundll32.exe
PID 360 wrote to memory of 1108	360	rundll32.exe	rundll32.exe
PID 360 wrote to memory of 1108	360	rundll32.exe	rundll32.exe
PID 360 wrote to memory of 1108	360	rundll32.exe	rundll32.exe
PID 360 wrote to memory of 1108	360	rundll32.exe	rundll32.exe
PID 360 wrote to memory of 1108	360	rundll32.exe	rundll32.exe
PID 360 wrote to memory of 1108	360	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54_unpacked.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\514b0d82faa73cee71e7b9323411f496be435bfe01844f9369ffb2fa8cef9d54_unpacked.dll,#1
2⤵
PID:1108

memory/1108-54-0x0000000000000000-mapping.dmp

Download
memory/1108-55-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download