Analysis
-
max time kernel
94s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 11:04
Static task
static1
Behavioral task
behavioral1
Sample
b9b732dbc6f94c79b5767eb98ebd899a.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
b9b732dbc6f94c79b5767eb98ebd899a.dll
-
Size
467KB
-
MD5
b9b732dbc6f94c79b5767eb98ebd899a
-
SHA1
984a3ba5d4fe06265ce23cec82bda6a63b2bb3bc
-
SHA256
1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
-
SHA512
595b4429e9f13212740ac4f9e12282dc3fdf9e141041695e4fe6302acf7aac2527275cb6a98eec78049758972c946cc62971604f68f7de68ad2350d13bac497a
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8877
C2
outlook.com/login
gmail.com
worunekulo.club
horunekulo.website
Attributes
-
build
250196
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2104 wrote to memory of 3260 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 3260 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 3260 2104 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9b732dbc6f94c79b5767eb98ebd899a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9b732dbc6f94c79b5767eb98ebd899a.dll,#12⤵PID:3260
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3260-114-0x0000000000000000-mapping.dmp
-
memory/3260-116-0x0000000073D00000-0x0000000073D91000-memory.dmpFilesize
580KB
-
memory/3260-115-0x0000000073D00000-0x0000000073D0F000-memory.dmpFilesize
60KB
-
memory/3260-117-0x0000000000490000-0x00000000005DA000-memory.dmpFilesize
1.3MB