Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 09:06
General
-
Target
27851.png.dll
-
Size
486KB
-
MD5
0b26191e482cf7c321efeb8d2569caac
-
SHA1
0909177f5f88f101146bb4e31202ad92ebd8e223
-
SHA256
b553c5b6da9f88cfc7d00fba468abef8d2b7889f5f19b70e6c52a091f9854121
-
SHA512
169256f7cb7bfea1a151ac927b57f77d0b513038cea9232040bdec773faa3b92e4522324ab62ed8ea5a8c54293d0d5e1638ef01a88fbb316cd010f145bb85099
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4460
C2
1.microsoft.com
horulenuke.us
vorulenuke.us
Attributes
-
build
250190
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27851.png.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27851.png.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1976-59-0x0000000000000000-mapping.dmp
-
memory/1976-60-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1976-62-0x0000000074620000-0x00000000746B4000-memory.dmpFilesize
592KB
-
memory/1976-61-0x0000000074620000-0x000000007462F000-memory.dmpFilesize
60KB
-
memory/1976-63-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB