Overview

overview

10

Static

static

yytr.png.dll

windows7_x64

10

yytr.png.dll

windows10_x64

10

Analysis

  • max time kernel
    18s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-02-2021 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yytr.png.dll

  • Size

    463KB

  • MD5

    ba2befa9c70c2b6d779c48a59cece3e5

  • SHA1

    4c855f80076e357d35c7d60cd52d2c49abefc5ff

  • SHA256

    9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb

  • SHA512

    bdc4e33de9de4cf27d1df05e22163c6a3ef0d2406d80cb51db34139bf08cc3a923b079686fbc0a1b359ee46447eb0583c3343360d7e755179e9661c4a503047e

Score
10/10
gozi_ifsb3131bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3131

C2

c.s-microsoft.com

firebaseremoteconfig.googleapis.com

pronpepsipirpyamvioerd.com

80.208.230.180
Attributes
  • build

    250177

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#1
      2⤵
        PID:4788
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 732
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4272

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4272-7-0x0000000003FF0000-0x0000000003FF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4788-2-0x0000000000000000-mapping.dmp
      Download
    • memory/4788-3-0x0000000003FC1000-0x0000000004019000-memory.dmp
      Filesize

      352KB

      Download
    • memory/4788-5-0x00000000005A0000-0x00000000005AD000-memory.dmp
      Filesize

      52KB

      Download
    • memory/4788-4-0x0000000000590000-0x0000000000591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4788-6-0x0000000000B70000-0x0000000000B7F000-memory.dmp
      Filesize

      60KB

      Download