gozi | 1c5545e8fe89c9d6a0171332305d2aa83d7eb343b62d6615308ba93b93b15272

Analysis

max time kernel
134s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084aaf4ed20aaf6d53a75ffa92a4d9f7.dll
Size

543KB
MD5

084aaf4ed20aaf6d53a75ffa92a4d9f7
SHA1

6a3fc820992f5a2ad96fd60eaa7caec4242669f6
SHA256

1c5545e8fe89c9d6a0171332305d2aa83d7eb343b62d6615308ba93b93b15272
SHA512

058aadaef1a54457d05f7013f182ac01553f7312b372e341a5108592eda879f3486108e613b15f4eb703c18df486b573e0206f2d4a8273d34034040e03a87966
SSDEEP

12288:KaMB5j1f/QOwOSnV8Eh3doxeNZNN2lFzx3ycxXs4:KaWz3E4INX03ycxc4

Score

10^/10

gozi 8877 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

8877

outlook.com

zaluoa.live

daskdjknefjkewfnkjwe.net

Attributes

base_path
/jkloop/
build
250207
dga_season
10
exe_type
loader
extension
.kre
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Blocklisted process makes network request 4 IoCs

flow	pid	Process
73	1292	rundll32.exe
78	1292	rundll32.exe
83	1292	rundll32.exe
92	1292	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1292	2068	rundll32.exe	90
PID 2068 wrote to memory of 1292	2068	rundll32.exe	90
PID 2068 wrote to memory of 1292	2068	rundll32.exe	90

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\084aaf4ed20aaf6d53a75ffa92a4d9f7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\084aaf4ed20aaf6d53a75ffa92a4d9f7.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-0-0x0000000075270000-0x0000000075394000-memory.dmp

Filesize
1.1MB

Download
memory/1292-1-0x0000000075270000-0x0000000075394000-memory.dmp

Filesize
1.1MB

Download
memory/1292-2-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1292-3-0x0000000075270000-0x0000000075394000-memory.dmp

Filesize
1.1MB

Download
memory/1292-4-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/1292-7-0x0000000075270000-0x0000000075394000-memory.dmp

Filesize
1.1MB

Download
memory/1292-9-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads