Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-05-2021 06:08
Static task
static1
Behavioral task
behavioral1
Sample
95da98c0a63160a3cef05cc23aa28dab.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
95da98c0a63160a3cef05cc23aa28dab.dll
-
Size
937KB
-
MD5
95da98c0a63160a3cef05cc23aa28dab
-
SHA1
fb58fd8e30bc85378affe40d90fba2f05d721d92
-
SHA256
4b1ff2f9354e2504464ca3bd74e20ff25aa57084a871e81bada09523fa4327e1
-
SHA512
b1089ca62cb4da6ca5e4af1fc331171c44d2229a2a89d7d2fb9b2f610ef00d6f012ce491ba8869b1201012469218e526496351e9ac60675d428e45dd5c009ed6
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3016 wrote to memory of 3908 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3908 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3908 3016 rundll32.exe rundll32.exe PID 3908 wrote to memory of 1168 3908 rundll32.exe cmd.exe PID 3908 wrote to memory of 1168 3908 rundll32.exe cmd.exe PID 3908 wrote to memory of 1168 3908 rundll32.exe cmd.exe PID 3908 wrote to memory of 2512 3908 rundll32.exe cmd.exe PID 3908 wrote to memory of 2512 3908 rundll32.exe cmd.exe PID 3908 wrote to memory of 2512 3908 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95da98c0a63160a3cef05cc23aa28dab.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95da98c0a63160a3cef05cc23aa28dab.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1168-115-0x0000000000000000-mapping.dmp
-
memory/2512-116-0x0000000000000000-mapping.dmp
-
memory/3908-114-0x0000000000000000-mapping.dmp
-
memory/3908-118-0x00000000739C0000-0x0000000073AC4000-memory.dmpFilesize
1.0MB
-
memory/3908-117-0x00000000739C0000-0x00000000739CE000-memory.dmpFilesize
56KB
-
memory/3908-119-0x0000000000540000-0x000000000068A000-memory.dmpFilesize
1.3MB