Malware Analysis Report

2025-08-05 21:40

Sample ID 230321-mg84eahg53
Target 6419864dceb72.tar
SHA256 3ffc3c329ace3bf652db9d8fdcdb7ef19fd1563d39b3ef3934e0170209f03382
Tags
gozi 5050 banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ffc3c329ace3bf652db9d8fdcdb7ef19fd1563d39b3ef3934e0170209f03382

Threat Level: Known bad

The file 6419864dceb72.tar was found to be: Known bad.

Malicious Activity Summary

gozi 5050 banker isfb trojan

Gozi

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-03-21 10:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 10:27

Reported

2023-03-21 10:29

Platform

win7-20230220-en

Max time kernel

141s

Max time network

36s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6419864dceb72.dll

Signatures

Gozi

banker trojan gozi

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1304 wrote to memory of 1728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1304 wrote to memory of 1728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1304 wrote to memory of 1728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1304 wrote to memory of 1728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1304 wrote to memory of 1728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1304 wrote to memory of 1728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6419864dceb72.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6419864dceb72.dll

Network

N/A

Files

memory/1728-54-0x0000000010000000-0x000000001000F000-memory.dmp

memory/1728-58-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/1728-63-0x0000000000200000-0x000000000020D000-memory.dmp

memory/1728-66-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1728-67-0x0000000062540000-0x000000006257C000-memory.dmp

memory/1728-76-0x0000000062540000-0x000000006257C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 10:27

Reported

2023-03-21 10:29

Platform

win10v2004-20230220-en

Max time kernel

142s

Max time network

136s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6419864dceb72.dll

Signatures

Gozi

banker trojan gozi

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6419864dceb72.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6419864dceb72.dll

Network

Country Destination Domain Proto
DE 162.19.139.184:2222 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
GB 52.123.242.66:80 config.edge.skype.com tcp
US 8.8.8.8:53 66.242.123.52.in-addr.arpa udp

Files

memory/2044-133-0x0000000010000000-0x000000001000F000-memory.dmp

memory/2044-137-0x0000000000970000-0x000000000097E000-memory.dmp

memory/2044-142-0x0000000000950000-0x0000000000951000-memory.dmp

memory/2044-143-0x0000000000A40000-0x0000000000A4D000-memory.dmp

memory/2044-146-0x0000000062540000-0x000000006257C000-memory.dmp