Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
e9d755ac4aa548ba194acf65b05994f4.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
e9d755ac4aa548ba194acf65b05994f4.dll
-
Size
937KB
-
MD5
e9d755ac4aa548ba194acf65b05994f4
-
SHA1
4850ebf11ddaa1e881d18c347f4a6829cefffa25
-
SHA256
d480f7ac9137faddd5a38d6afd6d5127651ae0d4a2b2a8de8243830323e166b6
-
SHA512
2a74aa38fab6e6d67f410470c447cf596f4c447dfcfe3f7ca4f6e12a5e6dd6cbbb67dbf474aeede37c45e6ee5f7420d3c76ba11409ad2253986ec9eabd928cad
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1100 wrote to memory of 2008 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 2008 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 2008 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 2008 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 2008 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 2008 1100 rundll32.exe rundll32.exe PID 1100 wrote to memory of 2008 1100 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1464 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1464 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1464 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1464 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1208 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1208 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1208 2008 rundll32.exe cmd.exe PID 2008 wrote to memory of 1208 2008 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9d755ac4aa548ba194acf65b05994f4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9d755ac4aa548ba194acf65b05994f4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵PID:1464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵PID:1208
-
-