gozi | 8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a | Triage

Analysis

max time kernel
141s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 12:55

Sharing

Report Analysis Logs

General

Target

ginumtue.dll
Size

220KB
MD5

9627a223cebc074cefb834370cba058a
SHA1

73c470ad9203150629b13d7f077000aa4f335f26
SHA256

8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
SHA512

283b341fa4bc999dd32586f8914adad9c51ee9533a35fb2c30c165c11f9e4d843062252651bf103183c11cb8ba66d1118df31558f7c59b881f85a2507148ff5a
SSDEEP

1536:iYrO9JaI9HwxtB3wjCaNhQ8yl6sUdM8FOIUa:2HJ9HQv3wFNh6U6pIUa

Score

10^/10

gozi 777777 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

777777

C2

trackingg-protectioon.cdn4.mozilla.net

176.10.111.233

91.241.93.192

45.155.249.200

45.155.250.216

Attributes

base_path
/fonts/
build
250257
exe_type
loader
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 3708	3760	rundll32.exe	83
PID 3760 wrote to memory of 3708	3760	rundll32.exe	83
PID 3760 wrote to memory of 3708	3760	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ginumtue.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ginumtue.dll,#1
  2⤵
  PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3708-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3708-134-0x0000000001440000-0x0000000001446000-memory.dmp

Filesize
24KB

Download
memory/3708-135-0x0000000002B90000-0x0000000002B9D000-memory.dmp

Filesize
52KB

Download
memory/3708-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download