Analysis
-
max time kernel
74s -
max time network
77s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-05-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
e4c188ae2a8d453b361d339022a04221.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
e4c188ae2a8d453b361d339022a04221.dll
-
Size
937KB
-
MD5
e4c188ae2a8d453b361d339022a04221
-
SHA1
0f2375eeb872fd5d5021145a56eae8529cedfbdb
-
SHA256
0fa5df74d9d08845440766c204ae874a81a189b9856e2b841665eb9054040b4b
-
SHA512
ec6d7c7a38530c16c71a5d638106b0ea68d094789a58e2148c9e12a2b916cb310b217f5da0c043357eea2745a171104390877e8d085ab39c21332b90d908f5c8
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 736 wrote to memory of 1036 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 1036 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 1036 736 rundll32.exe rundll32.exe PID 1036 wrote to memory of 3184 1036 rundll32.exe cmd.exe PID 1036 wrote to memory of 3184 1036 rundll32.exe cmd.exe PID 1036 wrote to memory of 3184 1036 rundll32.exe cmd.exe PID 1036 wrote to memory of 3796 1036 rundll32.exe cmd.exe PID 1036 wrote to memory of 3796 1036 rundll32.exe cmd.exe PID 1036 wrote to memory of 3796 1036 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e4c188ae2a8d453b361d339022a04221.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e4c188ae2a8d453b361d339022a04221.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵PID:3184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵PID:3796
-
-