Analysis
-
max time kernel
121s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-05-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
ca15492d0c96792b22e031811fc60237.dll
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
ca15492d0c96792b22e031811fc60237.dll
-
Size
937KB
-
MD5
ca15492d0c96792b22e031811fc60237
-
SHA1
c25a707cb43e81bd1b72fd67abb0c5465c28cfc0
-
SHA256
79278524b0b5613050c83e87aeddc0c987d8ad67fec06af310b8722b97a52171
-
SHA512
22842f8781931812271908051d81cb7b95f13c48095e9a54a711c7a8dfba359c6f546ade4d240cd4de5d67462775581d5f8c1b5a3cd6e4fe126bb4c9aa70cbb5
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1756 wrote to memory of 2008 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2008 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2008 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2008 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2008 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2008 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2008 1756 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1980 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1980 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1980 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1980 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1948 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1948 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1948 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1948 2008 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ca15492d0c96792b22e031811fc60237.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ca15492d0c96792b22e031811fc60237.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1948-63-0x0000000000000000-mapping.dmp
-
memory/1980-62-0x0000000000000000-mapping.dmp
-
memory/2008-60-0x0000000000000000-mapping.dmp
-
memory/2008-61-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/2008-65-0x0000000074C00000-0x0000000074D04000-memory.dmpFilesize
1.0MB
-
memory/2008-64-0x0000000074C00000-0x0000000074C0E000-memory.dmpFilesize
56KB
-
memory/2008-66-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB