Resubmissions
04-02-2021 15:57
210204-7ddakabam6 1025-01-2021 14:31
210125-8btrv6fz22 1022-01-2021 07:56
210122-t6s44f1q3n 1014-12-2020 16:08
201214-rvlc1zsl7x 10Analysis
-
max time kernel
101s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-02-2021 15:57
General
-
Target
b5b2765aaf97ae9c22abd312e684616d.dll
-
Size
820KB
-
MD5
b5b2765aaf97ae9c22abd312e684616d
-
SHA1
a66a652c2067f7489b83aba3b78502c0f482863b
-
SHA256
9f6d02b422cb72eb3bbc723b8b4a692bc9f641f1908b7e4b32685b2ad42fbef7
-
SHA512
af6c0a6c582a0cfd4f7de6bf1cf0199898b31edc0dba5467a499c2148e425d91d556bd7eebd08faf093d610cbf2afbee2237affc206106c7209cb2492a563279
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Attributes
- build
- dga_base_url
-
dga_crc
0
-
dga_season
0
- dga_tlds
- dns_servers
- exe_type
Extracted
Family
gozi_ifsb
Botnet
2000
Attributes
-
build
215755
- dga_base_url
-
dga_crc
0
-
dga_season
0
- dga_tlds
- dns_servers
-
exe_type
worker
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Windows security bypass 2 TTPs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5b2765aaf97ae9c22abd312e684616d.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5b2765aaf97ae9c22abd312e684616d.dll,#13⤵
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
392KB
-
Filesize
380KB
-
Filesize
392KB
-
Filesize
4KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
4KB