gozi | 24ec13da718b7caa092a55c50e1b1b6ab9b2f9994547ac931342790e2cf6a81b

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d9a314b189018d52262def8f639ccad.dll
Size

525KB
MD5

1d9a314b189018d52262def8f639ccad
SHA1

3da6c977b0806d1b55eb36c850014c3d6e24894f
SHA256

24ec13da718b7caa092a55c50e1b1b6ab9b2f9994547ac931342790e2cf6a81b
SHA512

cafa0704b70b257e1b11220c25bc090562dbfabbc5588773dab6c9b69ff3dadf1b024cb17ac5cdca3395f80e1af8567eadf8153de7cee7fffabcc423469b6836
SSDEEP

12288:NOAWyD6Slvumd+vdV1Pa4VjwPXcaxaZnqhSbp/OMcX:NyS6SlWmcV1Pa4VMPKH/9c

Score

10^/10

gozi 7410 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7410

signin.microsoft.com

alliances.bar

allianceline.bar

alliancer.bar

Attributes

base_path
/jdraw/
build
250206
dns_servers
107.174.86.134

107.175.127.22
exe_type
loader
extension
.crw
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2808	3068	regsvr32.exe	28
PID 3068 wrote to memory of 2808	3068	regsvr32.exe	28
PID 3068 wrote to memory of 2808	3068	regsvr32.exe	28
PID 3068 wrote to memory of 2808	3068	regsvr32.exe	28
PID 3068 wrote to memory of 2808	3068	regsvr32.exe	28
PID 3068 wrote to memory of 2808	3068	regsvr32.exe	28
PID 3068 wrote to memory of 2808	3068	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1d9a314b189018d52262def8f639ccad.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1d9a314b189018d52262def8f639ccad.dll
  2⤵
  PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2808-0-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2808-1-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2808-2-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2808-3-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2808-4-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2808-5-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2808-11-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2808-13-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads