Overview

overview

10

Static

static

9fcf3ab870...3b.dll

windows7_x64

10

9fcf3ab870...3b.dll

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-05-2021 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fcf3ab8703045032737668793f5563b.dll

  • Size

    937KB

  • MD5

    9fcf3ab8703045032737668793f5563b

  • SHA1

    8d4db3886f332122eb430b04419d0befd0833107

  • SHA256

    dff28a4e03d3df0f6a7d39a77dd7d6243bdc9117b0b0da3b280447184856f4df

  • SHA512

    309cda81815d9c70555b978a4ba65e751f51df8b72f4352b9de37f20be55769321c34693f6c52598cae4cc8477ed6c07bd66ef030fa78202cbe19279416b3953

Score
10/10
gozi_ifsb4500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

app3.maintorna.com

chat.billionady.com

app5.folion.xyz

wer.defone.click
Attributes
  • build

    250188

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fcf3ab8703045032737668793f5563b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fcf3ab8703045032737668793f5563b.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cd Island
        3⤵
          PID:188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cd Matter m
          3⤵
            PID:1192
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3888 CREDAT:82945 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:200

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/188-115-0x0000000000000000-mapping.dmp
        Download
      • memory/200-122-0x0000000000000000-mapping.dmp
        Download
      • memory/748-114-0x0000000000000000-mapping.dmp
        Download
      • memory/748-117-0x0000000073B10000-0x0000000073B1E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/748-118-0x0000000073B10000-0x0000000073C14000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/748-119-0x0000000000950000-0x0000000000A9A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1192-116-0x0000000000000000-mapping.dmp
        Download
      • memory/3888-121-0x00007FFD69AA0000-0x00007FFD69B0B000-memory.dmp
        Filesize

        428KB

        Download