gozi | 135e41bbfe6a0a107cc917733714ae1fb7bf19092fb14aec4788c6136793dda2

Analysis

max time kernel
199s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 15:28

Target

4f8ff35c13bc0b82bff19a6fd8b32760_dll64_JC.dll
Size

144KB
MD5

4f8ff35c13bc0b82bff19a6fd8b32760
SHA1

5076af8f1a59c8fc56d405a868820676702b5b97
SHA256

135e41bbfe6a0a107cc917733714ae1fb7bf19092fb14aec4788c6136793dda2
SHA512

039cff089a58b087c6a34acbad45b39048e0ae132329068d7a044efe1a226db3e0045094fb740fab255bb96d8457fcff497503042fd1bdc7a639f86af3380a1f
SSDEEP

3072:R62geqsPhgYn3OrQTREpF6/E8ReqCoq/EgY/Wi:R3iQ1EpF0GqCoqj

Score

10^/10

gozi banker trojan

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

904 Explorer.EXE

pid	process
904	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	904	Explorer.EXE
Token: SeCreatePagefilePrivilege	904	Explorer.EXE
Token: SeShutdownPrivilege	904	Explorer.EXE
Token: SeCreatePagefilePrivilege	904	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

904 Explorer.EXE

pid	process
904	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3456 wrote to memory of 904	3456	rundll32.exe	Explorer.EXE
PID 3456 wrote to memory of 904	3456	rundll32.exe	Explorer.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f8ff35c13bc0b82bff19a6fd8b32760_dll64_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3456

memory/904-0-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download