Malware Analysis Report

2025-03-15 07:45

Sample ID 240214-kwyj4sfd28
Target 9b40d3ed02b3662db4e286a7d09f134a
SHA256 d43cfc2d0658951ce6118d1c851abe9bc4cad91b4e5732fad998cb53e034d858
Tags
gozi 1500 banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d43cfc2d0658951ce6118d1c851abe9bc4cad91b4e5732fad998cb53e034d858

Threat Level: Known bad

The file 9b40d3ed02b3662db4e286a7d09f134a was found to be: Known bad.

Malicious Activity Summary

gozi 1500 banker isfb trojan

Gozi

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-14 08:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 08:57

Reported

2024-02-14 09:00

Platform

win7-20231215-en

Max time kernel

144s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b40d3ed02b3662db4e286a7d09f134a.dll,#1

Signatures

Gozi

banker trojan gozi

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b40d3ed02b3662db4e286a7d09f134a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b40d3ed02b3662db4e286a7d09f134a.dll,#1

Network

N/A

Files

memory/3056-0-0x0000000010000000-0x0000000010116000-memory.dmp

memory/3056-1-0x0000000010000000-0x0000000010116000-memory.dmp

memory/3056-2-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/3056-3-0x0000000000310000-0x000000000031D000-memory.dmp

memory/3056-6-0x0000000010000000-0x0000000010116000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 08:57

Reported

2024-02-14 09:00

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b40d3ed02b3662db4e286a7d09f134a.dll,#1

Signatures

Gozi

banker trojan gozi

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3400 wrote to memory of 660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3400 wrote to memory of 660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3400 wrote to memory of 660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b40d3ed02b3662db4e286a7d09f134a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b40d3ed02b3662db4e286a7d09f134a.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 gtr.antoinfer.com udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 app.bighomegl.at udp
US 8.8.8.8:53 gtr.antoinfer.com udp
US 8.8.8.8:53 app.bighomegl.at udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/660-0-0x0000000010000000-0x0000000010116000-memory.dmp

memory/660-1-0x0000000010000000-0x0000000010116000-memory.dmp

memory/660-2-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/660-3-0x0000000002960000-0x000000000296D000-memory.dmp

memory/660-6-0x0000000010000000-0x0000000010116000-memory.dmp