Analysis
-
max time kernel
60s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
08-05-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
3caed8793a6444ce411bcb88f5f661a7.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
3caed8793a6444ce411bcb88f5f661a7.dll
-
Size
937KB
-
MD5
3caed8793a6444ce411bcb88f5f661a7
-
SHA1
eeaf102a8062dd544755edc24c4cd9e57bf07864
-
SHA256
60aaa4687dd3691cd748aa4ac21324049698f184afa7d9a479f7527895dc810f
-
SHA512
c3104263e2fb0bf6d1840ff2ea6496b67a08b907ccc557eb07c3ad65218c046b494ea5471c53d7508790b2c2e50e5bb99593af2aca3721bf34ecb8b54e148aac
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3872 wrote to memory of 4028 3872 rundll32.exe rundll32.exe PID 3872 wrote to memory of 4028 3872 rundll32.exe rundll32.exe PID 3872 wrote to memory of 4028 3872 rundll32.exe rundll32.exe PID 4028 wrote to memory of 576 4028 rundll32.exe cmd.exe PID 4028 wrote to memory of 576 4028 rundll32.exe cmd.exe PID 4028 wrote to memory of 576 4028 rundll32.exe cmd.exe PID 4028 wrote to memory of 352 4028 rundll32.exe cmd.exe PID 4028 wrote to memory of 352 4028 rundll32.exe cmd.exe PID 4028 wrote to memory of 352 4028 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3caed8793a6444ce411bcb88f5f661a7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3caed8793a6444ce411bcb88f5f661a7.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/352-116-0x0000000000000000-mapping.dmp
-
memory/576-115-0x0000000000000000-mapping.dmp
-
memory/4028-114-0x0000000000000000-mapping.dmp
-
memory/4028-118-0x0000000073990000-0x0000000073A94000-memory.dmpFilesize
1.0MB
-
memory/4028-117-0x0000000073990000-0x000000007399E000-memory.dmpFilesize
56KB
-
memory/4028-119-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB