Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-05-2021 07:03
Static task
static1
Behavioral task
behavioral1
Sample
e091bc381aebed8fee9363a882edfa68.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
e091bc381aebed8fee9363a882edfa68.dll
-
Size
937KB
-
MD5
e091bc381aebed8fee9363a882edfa68
-
SHA1
2ecb2813135d36fd0a9bc28ac4020359618e4eaa
-
SHA256
e1b21ed8992a45a13b75a1db762be38aba928d7dad5b9ee20b99d9e1c6cfb82c
-
SHA512
5184fe79854e2e79cb30cb8e5f7b6a4224e4b27c54c0c06cf90e39ddce8b452d22640d010b986398e0c56bb97f3e471765ab56f0075401eeaeda12dbdf13b893
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 792 wrote to memory of 2000 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2000 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2000 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2000 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2000 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2000 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2000 792 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1976 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1976 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1976 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1976 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1772 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1772 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1772 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1772 2000 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e091bc381aebed8fee9363a882edfa68.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e091bc381aebed8fee9363a882edfa68.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1772-62-0x0000000000000000-mapping.dmp
-
memory/1976-61-0x0000000000000000-mapping.dmp
-
memory/2000-59-0x0000000000000000-mapping.dmp
-
memory/2000-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/2000-64-0x0000000074CF0000-0x0000000074DF4000-memory.dmpFilesize
1.0MB
-
memory/2000-63-0x0000000074CF0000-0x0000000074CFE000-memory.dmpFilesize
56KB
-
memory/2000-65-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB