Analysis
-
max time kernel
3s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-02-2021 15:14
General
-
Target
yytr.png.dll
-
Size
463KB
-
MD5
ba2befa9c70c2b6d779c48a59cece3e5
-
SHA1
4c855f80076e357d35c7d60cd52d2c49abefc5ff
-
SHA256
9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
-
SHA512
bdc4e33de9de4cf27d1df05e22163c6a3ef0d2406d80cb51db34139bf08cc3a923b079686fbc0a1b359ee46447eb0583c3343360d7e755179e9661c4a503047e
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
3131
C2
c.s-microsoft.com
firebaseremoteconfig.googleapis.com
pronpepsipirpyamvioerd.com
80.208.230.180
Attributes
-
build
250177
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
107.174.86.134
107.175.127.22
-
exe_type
loader
-
server_id
12
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1896-2-0x0000000000000000-mapping.dmp
-
memory/1896-3-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB
-
memory/1896-5-0x0000000000280000-0x000000000028D000-memory.dmpFilesize
52KB
-
memory/1896-4-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1896-6-0x00000000002B0000-0x00000000002BF000-memory.dmpFilesize
60KB