Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-05-2021 17:24
General
-
Target
ca15492d0c96792b22e031811fc60237.dll
-
Size
937KB
-
MD5
ca15492d0c96792b22e031811fc60237
-
SHA1
c25a707cb43e81bd1b72fd67abb0c5465c28cfc0
-
SHA256
79278524b0b5613050c83e87aeddc0c987d8ad67fec06af310b8722b97a52171
-
SHA512
22842f8781931812271908051d81cb7b95f13c48095e9a54a711c7a8dfba359c6f546ade4d240cd4de5d67462775581d5f8c1b5a3cd6e4fe126bb4c9aa70cbb5
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ca15492d0c96792b22e031811fc60237.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ca15492d0c96792b22e031811fc60237.dll,#11⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1204-115-0x0000000000000000-mapping.dmp
-
memory/2828-116-0x0000000000000000-mapping.dmp
-
memory/4072-114-0x0000000000000000-mapping.dmp
-
memory/4072-117-0x0000000073DA0000-0x0000000073DAE000-memory.dmpFilesize
56KB
-
memory/4072-118-0x0000000073DA0000-0x0000000073EA4000-memory.dmpFilesize
1.0MB
-
memory/4072-119-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB