Analysis
-
max time kernel
50s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-05-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a.dll
-
Size
471KB
-
MD5
c63f11211f899e38c1c230594024950a
-
SHA1
4d5baeaf852156dbe8053a1c600c7d96049f5967
-
SHA256
70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
-
SHA512
acb47d73ee0ae648188d90ba65584e4261ca8c174305e30e7249d7c8daeccb7b1ac71d8c85d269077b1397adbd29e3deba99ffb89f24c02e8dccbefab14f556b
Malware Config
Extracted
Family
gozi_ifsb
Botnet
2500
C2
app.buboleinov.com
chat.veminiare.com
chat.billionady.com
app3.maintorna.com
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 648 wrote to memory of 836 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 836 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 836 648 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a.dll,#12⤵PID:836
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-114-0x0000000000000000-mapping.dmp
-
memory/836-116-0x0000000073F50000-0x0000000073FDE000-memory.dmpFilesize
568KB
-
memory/836-115-0x0000000073F50000-0x0000000073F5E000-memory.dmpFilesize
56KB
-
memory/836-117-0x00000000031E0000-0x00000000031E1000-memory.dmpFilesize
4KB