Analysis
-
max time kernel
78s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-05-2021 06:04
Static task
static1
Behavioral task
behavioral1
Sample
4fe0db5ea9c73bc364eed17a125e1ea7.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
4fe0db5ea9c73bc364eed17a125e1ea7.dll
-
Size
937KB
-
MD5
4fe0db5ea9c73bc364eed17a125e1ea7
-
SHA1
63901d57da65f74a1ca0287f50b19784cd90b903
-
SHA256
e1241c08f206c0874f1ce8ce896f6eec7c44eaca16b0f84c14f1b16571b3feef
-
SHA512
6c106d2212f48f9f36b1aa9dc1ec38e7739d43d20d5d5444cb664d5937c55f2be8a6e8447354cc23135f7631b80e6b9cd19d6f767ebd55e78478d1ea9a3dd585
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1084 wrote to memory of 1228 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1228 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1228 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1228 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1228 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1228 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1228 1084 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1500 1228 rundll32.exe cmd.exe PID 1228 wrote to memory of 1500 1228 rundll32.exe cmd.exe PID 1228 wrote to memory of 1500 1228 rundll32.exe cmd.exe PID 1228 wrote to memory of 1500 1228 rundll32.exe cmd.exe PID 1228 wrote to memory of 1740 1228 rundll32.exe cmd.exe PID 1228 wrote to memory of 1740 1228 rundll32.exe cmd.exe PID 1228 wrote to memory of 1740 1228 rundll32.exe cmd.exe PID 1228 wrote to memory of 1740 1228 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4fe0db5ea9c73bc364eed17a125e1ea7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4fe0db5ea9c73bc364eed17a125e1ea7.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-61-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1228-60-0x0000000000000000-mapping.dmp
-
memory/1228-65-0x0000000074C70000-0x0000000074D74000-memory.dmpFilesize
1.0MB
-
memory/1228-64-0x0000000074C70000-0x0000000074C7E000-memory.dmpFilesize
56KB
-
memory/1228-66-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/1500-62-0x0000000000000000-mapping.dmp
-
memory/1740-63-0x0000000000000000-mapping.dmp