Overview

overview

10

Static

static

93e1f6a018...70.dll

windows7_x64

10

93e1f6a018...70.dll

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05-05-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93e1f6a018dfd87a6235c247af3a5070.dll

  • Size

    937KB

  • MD5

    93e1f6a018dfd87a6235c247af3a5070

  • SHA1

    642f459b8d535e9acb02160a124c2ec17b2717db

  • SHA256

    8310099f46b3760c683efe9aa247bfaa27334249e8375ddb9e45ee805a47857c

  • SHA512

    01f03aafe353954b05fc5a0ac58fe859c45c7d8238f687b3babc434b869a1c09e52bfbbd01c87e08295562fcf705007cb4c13f6475009acbd80194e2f1c752a4

Score
10/10
gozi_ifsb4500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

app3.maintorna.com

chat.billionady.com

app5.folion.xyz

wer.defone.click
Attributes
  • build

    250188

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\93e1f6a018dfd87a6235c247af3a5070.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\93e1f6a018dfd87a6235c247af3a5070.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cd Island
        3⤵
          PID:3596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cd Matter m
          3⤵
            PID:412
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:82945 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2300

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/412-116-0x0000000000000000-mapping.dmp
        Download
      • memory/1404-114-0x0000000000000000-mapping.dmp
        Download
      • memory/1404-118-0x00000000735F0000-0x00000000736F4000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1404-117-0x00000000735F0000-0x00000000735FE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1404-119-0x0000000002E80000-0x0000000002FCA000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2140-121-0x00007FFADE4D0000-0x00007FFADE53B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/2300-122-0x0000000000000000-mapping.dmp
        Download
      • memory/3596-115-0x0000000000000000-mapping.dmp
        Download