Analysis
-
max time kernel
122s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-05-2021 08:05
General
-
Target
c685c42e90ca6bf2263df3d0f75387b9.dll
-
Size
937KB
-
MD5
c685c42e90ca6bf2263df3d0f75387b9
-
SHA1
83fb61da38efbe587cbe692e1ea905404ec6ef18
-
SHA256
ea6f45d0aa95e66e3dbfaddb86daca33f3ac393ceabef34edbb8653a94960682
-
SHA512
d37d7b57c77912d9964682d743c4270be11a94a7e0401462034c4522983bfb886ca3e4e6388cd5dc86b20c03cb5b518d59498cc67ba3cc830b4eaba70b6ed000
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c685c42e90ca6bf2263df3d0f75387b9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c685c42e90ca6bf2263df3d0f75387b9.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1244-60-0x0000000000000000-mapping.dmp
-
memory/1244-61-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1244-65-0x0000000074C00000-0x0000000074D04000-memory.dmpFilesize
1.0MB
-
memory/1244-64-0x0000000074C00000-0x0000000074C0E000-memory.dmpFilesize
56KB
-
memory/1244-66-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/1368-62-0x0000000000000000-mapping.dmp
-
memory/1468-63-0x0000000000000000-mapping.dmp