gozi | 96691a5722177bd3b92d898458b51bf624a6fd3c83ba03f6c1a9c2088171931e

Analysis

max time kernel
100s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96691a5722177bd3b92d898458b51bf624a6fd3c83ba03f6c1a9c2088171931e.dll
Size

398KB
MD5

a2f914433461b45fc5505e9f89683625
SHA1

a004c119c923990c3cc93c4eff5dcf4a7cf45bf6
SHA256

96691a5722177bd3b92d898458b51bf624a6fd3c83ba03f6c1a9c2088171931e
SHA512

e0bed07bb6f97c0e685ece31654c2bb147d78a11530740451376b267738e6af430f13c5e5b50d96ec4ba81d2a9c770a2f085c3b5ba38ec6078eb4a0b2e196ba8
SSDEEP

12288:skELFg2bL3yXTmLwkHIvJuXK1+OB0wmylK+IUGJH+O:sxy2wm9R+O

Score

10^/10

gozi 5500 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5500

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz

Attributes

base_path
/manifest/
build
250177
dga_season
10
exe_type
loader
extension
.cnx
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2036 wrote to memory of 820	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 820	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 820	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 820	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 820	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 820	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 820	2036	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96691a5722177bd3b92d898458b51bf624a6fd3c83ba03f6c1a9c2088171931e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96691a5722177bd3b92d898458b51bf624a6fd3c83ba03f6c1a9c2088171931e.dll,#1
2⤵
PID:820

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-54-0x0000000000000000-mapping.dmp

Download
memory/820-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/820-56-0x0000000074680000-0x000000007468F000-memory.dmp

Filesize
60KB

Download
memory/820-57-0x0000000074680000-0x00000000746FA000-memory.dmp

Filesize
488KB

Download
memory/820-58-0x0000000074680000-0x00000000746FA000-memory.dmp

Filesize
488KB

Download
memory/820-59-0x0000000074680000-0x00000000746FA000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads