gozi | 49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 15:28

Target

49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86.dll
Size

511KB
MD5

dbe0888d7edb236b38d0dcfd33dd0a06
SHA1

f53a59741ddc982af5b77bd77ab99f74e9b33948
SHA256

49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
SHA512

b893e59fb0cf5db3ae076798849e467b239c7be30917cff40b5df6d5f9feadb50e90ba728ea9955f628c27e519c407f5b7c4b12eba002064387846e7662e2473
SSDEEP

6144:yTZBx+7jsPTl/N80J849j3si2Hw2Kfl0OA5P1rh/YwOnhu58jT7FWQ+ICBFQ5jyy:YZP+7jsZS0r59Qw3RxjkeP

Score

10^/10

Family

gozi

Family

gozi

Botnet

3000

config.edge.skype.com

89.41.26.99

89.45.4.102

interstarts.top

superlist.top

internetcoca.in

Attributes

rsa_pubkey.plain

aes.plain

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2472 wrote to memory of 4116	2472	regsvr32.exe	regsvr32.exe
PID 2472 wrote to memory of 4116	2472	regsvr32.exe	regsvr32.exe
PID 2472 wrote to memory of 4116	2472	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86.dll
2⤵
PID:4116

memory/4116-133-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/4116-138-0x0000000000830000-0x0000000000835000-memory.dmp

Filesize
20KB

Download
memory/4116-139-0x0000000000A60000-0x0000000000A6D000-memory.dmp

Filesize
52KB

Download