Resubmissions
27-10-2021 11:33
211027-npbnjseeh6 1004-02-2021 15:53
210204-ry8nav1e26 1022-01-2021 18:03
210122-wbsmxw8v7s 10Analysis
-
max time kernel
24s -
max time network
25s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-02-2021 15:53
General
-
Target
out.dll
-
Size
95KB
-
MD5
2ff0ff62b5cf7e7097f75a37492f02f8
-
SHA1
9d60d24299762f4aa7fa71838b58e4e747b95df6
-
SHA256
09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
-
SHA512
dc9a5422b9f49910db2ad66d4b4d010fb538e6c12e214c33b4b5ee3c5b96591d251b17d9ff99a7dea83b25b62e6ec521a7292471f42def6cb00b2fa139a9eea6
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Attributes
- build
- dga_base_url
-
dga_crc
0
-
dga_season
0
- dga_tlds
- dns_servers
- exe_type
Extracted
Family
gozi_ifsb
Botnet
1100
C2
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Attributes
-
build
250171
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
1.320669898e+09
-
dga_season
10
-
dga_tlds
com
ru
org
- dns_servers
-
exe_type
loader
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\out.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-2-0x0000000000000000-mapping.dmp
-
memory/2004-3-0x00000000765E1000-0x00000000765E3000-memory.dmpFilesize
8KB
-
memory/2004-4-0x00000000000B0000-0x00000000000BC000-memory.dmpFilesize
48KB
-
memory/2004-5-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB