Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-05-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
3caed8793a6444ce411bcb88f5f661a7.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
3caed8793a6444ce411bcb88f5f661a7.dll
-
Size
937KB
-
MD5
3caed8793a6444ce411bcb88f5f661a7
-
SHA1
eeaf102a8062dd544755edc24c4cd9e57bf07864
-
SHA256
60aaa4687dd3691cd748aa4ac21324049698f184afa7d9a479f7527895dc810f
-
SHA512
c3104263e2fb0bf6d1840ff2ea6496b67a08b907ccc557eb07c3ad65218c046b494ea5471c53d7508790b2c2e50e5bb99593af2aca3721bf34ecb8b54e148aac
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1348 wrote to memory of 1920 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 1920 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 1920 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 1920 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 1920 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 1920 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 1920 1348 rundll32.exe rundll32.exe PID 1920 wrote to memory of 2040 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 2040 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 2040 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 2040 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 1280 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 1280 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 1280 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 1280 1920 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3caed8793a6444ce411bcb88f5f661a7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3caed8793a6444ce411bcb88f5f661a7.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1280-63-0x0000000000000000-mapping.dmp
-
memory/1920-60-0x0000000000000000-mapping.dmp
-
memory/1920-61-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1920-65-0x0000000075290000-0x0000000075394000-memory.dmpFilesize
1.0MB
-
memory/1920-64-0x0000000075290000-0x000000007529E000-memory.dmpFilesize
56KB
-
memory/1920-66-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2040-62-0x0000000000000000-mapping.dmp