gozi | 84b16227e05b966470c3624cc9129296d73b96c11c90ff5d02a6aea8ab196b9e

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0196aa6b6e09389e94acafba9049fe5f.dll
Size

355KB
MD5

0196aa6b6e09389e94acafba9049fe5f
SHA1

6248bd71cc01f4dd0728bf8536c29aff31adb4ce
SHA256

84b16227e05b966470c3624cc9129296d73b96c11c90ff5d02a6aea8ab196b9e
SHA512

004683c3bcc190134f6715bef7fc1d788e3b7d02c68f6f51980433078be7c126f382fb2832d2668c23f234f9b6ab0d0e1e2e1d0dca33d9f40803f412f566c81a
SSDEEP

6144:BstpyZ+ANKcOVwmBfjdLz5kazt+x1gLY3TGAa7VGpwCu:BstpbA3OOmljdLGeZOGH7Cu

Score

10^/10

gozi 1500 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1500

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2956 wrote to memory of 2620	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 2620	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 2620	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 2620	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 2620	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 2620	2956	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 2620	2956	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#1
2⤵
PID:2620

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2620-0-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download
memory/2620-1-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download
memory/2620-2-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download
memory/2620-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2620-4-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download
memory/2620-6-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download
memory/2620-12-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download
memory/2620-13-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download
memory/2620-15-0x0000000075000000-0x00000000750F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads