Overview

overview

10

Static

static

plaukbp.dll

windows7_x64

10

plaukbp.dll

windows10_x64

10

Resubmissions

04-02-2021 16:55

210204-x73h6v1tge 10

25-01-2021 14:34

210125-72556aqdtx 10

07-01-2021 15:39

210107-s2wwfyaase 10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    07-01-2021 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plaukbp.dll

  • Size

    704KB

  • MD5

    f349a2c12a3114f0e60aae0f48d704d9

  • SHA1

    560ccc4002e62179709d3493aa12fb2b5110def3

  • SHA256

    ee683452d552bcc84964b3fbdfcfebcc281978115aa26a1413ae730a2c5032b1

  • SHA512

    0d4d806d81a7e9dd873fd4ab3a03dcb8a191a821aee68aa923cadfabe4776345cdef37135a7c67be609faaed5418519da82ae5d8d91ffe4785d72865aad6734e

Score
10/10
gozi_ifsbbankertrojan

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Modifies Internet Explorer settings 1 TTPs 102 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\plaukbp.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\plaukbp.dll,#1
      2⤵
        PID:456
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1416
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:952
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1828
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:840

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
      MD5

      c73ca5e2d219e00e3aea10857eb9d97c

      SHA1

      024a0e1fd6a5f327357653656e993d784303b2fa

      SHA256

      3efc8bc8a34e44b13a5ea9a1018901072ecfdc7be10bccbf65549f228192e984

      SHA512

      57a5537d7bed06baa8abaff4007fa4c9fc50773dcc646da023f1feeba3bdf99d6cc31c0fa662169484351502b2af20d1be03eb5b6074a69a324fc15418db24ec

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_771D63D2BF22FBD3F874CC100340041C
      MD5

      5e0d194222f8e6b589fa84fb87074cdb

      SHA1

      d5fba707dd76641d0a5538db7d841601d31b0cae

      SHA256

      c8e42afd3262b27e4477eddceefc89eac51a85bc06d713237815a7b45de1f3d8

      SHA512

      6fc629b1a4524da8dba0b2b71a2ec56d900897be2f3ce5a1e304e6c8e12490434a90068312d821bdf13d0d6b9b6ddae702eac135b7bafa74e0fe6c3599499c27

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      MD5

      38a1f2b005c641fcdbc01375946addcc

      SHA1

      347a2c7d24f6954bf9e86622f9935a6ca2c4ef9a

      SHA256

      2d10d35d21e64bcdbd3a12b2747d634debd30db2b7ff95437dfb5fde0dffbd31

      SHA512

      67ec39fb2e53461d6e7c99817bb9a870b76ff36c6f1794ea6ee664d9c99c657113cd4cc8a88d1d6813961ec3def7b1b975acc2ea6b46285c9b3201307e915fe6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
      MD5

      622ef08a7e148c24a1d9403d203b6c9a

      SHA1

      ca9394d9ccdcd28f46f536cf3269fa0bbf52b5c1

      SHA256

      5aef2560a33e95c4bf621a97fa5a39054af0671b2cf938b32c47473d5543f0ea

      SHA512

      016b51ad80219bca7544e3efe190420e485200069c4a9ae658ad07cce016a504ca7fdbcffafa3274294d332fda092419f3357b5f1536c17b6804c08cae4a00f4

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_771D63D2BF22FBD3F874CC100340041C
      MD5

      fee8796f5ed8a81e9bd867e84b338ba3

      SHA1

      a84d1da53990c49ef8ef971f5b8533efa58c3f25

      SHA256

      4efc3330c43b12a16567ef7ec4577a33a71f73db50f9e0cb27e0e61dfabecd17

      SHA512

      6860e6ca1e246e6c8ec8d15591ed48ef50fe2db3b13674435cff47d2c90d53a76d27d3346558de708dcac428641ef770be7f2121df92ac767a5e54f0f1fb359c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      83e4a4fb9d5d023aeba74e3dac06295e

      SHA1

      7bc59b1d4281dcf3c13024d3bf7277e7003ad632

      SHA256

      d482349ed53f9a2441b86e7e5a229ccc849fa05204e775c43785d2c73de517fb

      SHA512

      85749014f48ec9bc26f44a1b04b803917bcc670f21e785ea780ddc07e54a21c569730c6e7db7fce1e94e7e85094dd28242f637a244cbd4ba3788ac6cbcfe73e1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      ec0b2f1fa9003f693633c4dad5f61ae3

      SHA1

      763479144c4a526b1dddc1bdb0fdece8b69985f2

      SHA256

      252af7663f7a6acff3cb3f4c4bf3acd0a54e61d8f0333ecd20c23af366a8a544

      SHA512

      aa63927bd025d30d2bc8775cdfe23250167ebe947e4c64ada101f2dafec36fb59e000922b3e225f206675f9863a2192f973b711578b0c7c75f84bf2b8df21a6f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      MD5

      6e035d32d7e5a89373816ee8cda3276e

      SHA1

      083ff4397fa41dc8c0114973524b42197d98c912

      SHA256

      1244dda940cbab98cb643522cb298a18a51334c86f9426ad61119d5bc24adb2a

      SHA512

      7c5e1c999335899e245c12317d00e438fb29b42a2437d740c704117290e175d76684ebcc718058ee3316ca89d0bb5e15f76e8444646ce6b8ab3ed6972cb673aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      722c133ed855e2b40c1cccf253a94c0b

      SHA1

      5f0024d6cfe1fbbbc5cad1d513520a1c2f6789c8

      SHA256

      1324aae3e2c7606b13862a0a8a123d8ee2848fd07b1ff85d60fd5b1fd5a85297

      SHA512

      7b26ff7f534201489c040249372a2573b29612956ed023d13aed174d2517503f133ccf328552394a454b1239a6d4def430f65298e557476dd10459aa86d19318

      Download Submit
    • memory/316-4-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/456-2-0x0000000000000000-mapping.dmp
      Download
    • memory/456-3-0x0000000010000000-0x0000000010010000-memory.dmp
      Filesize

      64KB

      Download
    • memory/840-15-0x0000000000000000-mapping.dmp
      Download
    • memory/952-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1416-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1828-14-0x0000000000000000-mapping.dmp
      Download