gozi | c37b38c013fe3e845e9bee5697e21d5cc3a43d156d31a09dd9e6e537a7de1cf4

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2023 19:30

Target

d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396.dll
Size

602KB
MD5

f5229d20ad515e77c585134fcdfd8ca1
SHA1

b6741980071eeadd5a998d75ae890a1527153918
SHA256

d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396
SHA512

6a54765346de383c6b4927cacdcf74d3d22a49ed9f7dc83c4c58d8c655827ab2866bea9f47ae16377a970e5d70c641d26effe877f381ee4662b65f47f246bc63
SSDEEP

12288:/RI34sEF5wcH9seTP1GQn1WHhu67jd23ctEjBx/2g99:/RWu/wcH9seTdJn6VQcSj//199

Score

10^/10

Family

gozi

Family

gozi

Botnet

3000

config.edge.skype.com

superstarts.top

superlist.top

internetcoca.in

193.106.191.163

Attributes

rsa_pubkey.plain

aes.plain

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3720 wrote to memory of 708	3720	regsvr32.exe	regsvr32.exe
PID 3720 wrote to memory of 708	3720	regsvr32.exe	regsvr32.exe
PID 3720 wrote to memory of 708	3720	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396.dll
2⤵
PID:708

memory/708-0-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/708-5-0x0000000000D10000-0x0000000000D1D000-memory.dmp

Filesize
52KB

Download