Analysis
-
max time kernel
44s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-02-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
a088841ceeaee1306585579ef9a72980.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
a088841ceeaee1306585579ef9a72980.dll
-
Size
286KB
-
MD5
a088841ceeaee1306585579ef9a72980
-
SHA1
fa643f530d8662b61ba459dae488332945e203a5
-
SHA256
874342cb9571e9c05d9e29b415c42767df9ca677abfd9867ad23f966cdc6e80a
-
SHA512
8f78fa6b0b76d3b11a1f0f6f2d990486e950d140dd5d692c3c8112643c730a47d83e93259bf362074b6c826f0a57dac81974b1d4e65fa9c0ddc981ac75cd3aa1
Malware Config
Extracted
Family
gozi_ifsb
Botnet
2200
C2
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Attributes
-
build
250171
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1616 wrote to memory of 2016 1616 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2016 1616 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2016 1616 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2016 1616 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2016 1616 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2016 1616 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2016 1616 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a088841ceeaee1306585579ef9a72980.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a088841ceeaee1306585579ef9a72980.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2016-2-0x0000000000000000-mapping.dmp
-
memory/2016-3-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/2016-4-0x00000000752C0000-0x00000000752CF000-memory.dmpFilesize
60KB
-
memory/2016-5-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB