gozi | fb3009e2deadbc2d6760489395bafba79aab3a3cfb41be06181d51bfe864d09b

Analysis

max time kernel
154s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 15:00

Target

d667b1620c679459b264492bfac2703b.dll
Size

551KB
MD5

d667b1620c679459b264492bfac2703b
SHA1

2eea0c6336defa9de132815607490035e47ea734
SHA256

fb3009e2deadbc2d6760489395bafba79aab3a3cfb41be06181d51bfe864d09b
SHA512

bac6f9956237df1a1fd2554e1210365ce1521a0cd89601b0228cebcb94c3ef6e454885079fa5f0e9383a63e378fe86490c935b1e99901c9500081f89549f3d4e
SSDEEP

12288:4dsRFeVssCM5gMrj/LMMtBV0P6Fm92E89xE6FWkogdBtXcPZMfvG1EqYDWDt42O/:usRIfhAadeFoQqffC

Score

10^/10

Family

gozi

Family

gozi

Botnet

1500

f1.bablefiler.at

f22.avanoruk.com

Attributes

rsa_pubkey.plain

aes.plain

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4876 wrote to memory of 4896	4876	rundll32.exe	rundll32.exe
PID 4876 wrote to memory of 4896	4876	rundll32.exe	rundll32.exe
PID 4876 wrote to memory of 4896	4876	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d667b1620c679459b264492bfac2703b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d667b1620c679459b264492bfac2703b.dll,#1
2⤵
PID:4896

memory/4896-0-0x0000000074BB0000-0x0000000074CD4000-memory.dmp

Filesize
1.1MB

Download
memory/4896-1-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4896-2-0x0000000000850000-0x000000000085D000-memory.dmp

Filesize
52KB

Download
memory/4896-5-0x0000000074BB0000-0x0000000074CD4000-memory.dmp

Filesize
1.1MB

Download