Analysis
-
max time kernel
65s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-05-2021 07:04
Static task
static1
Behavioral task
behavioral1
Sample
4fe0db5ea9c73bc364eed17a125e1ea7.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
4fe0db5ea9c73bc364eed17a125e1ea7.dll
-
Size
937KB
-
MD5
4fe0db5ea9c73bc364eed17a125e1ea7
-
SHA1
63901d57da65f74a1ca0287f50b19784cd90b903
-
SHA256
e1241c08f206c0874f1ce8ce896f6eec7c44eaca16b0f84c14f1b16571b3feef
-
SHA512
6c106d2212f48f9f36b1aa9dc1ec38e7739d43d20d5d5444cb664d5937c55f2be8a6e8447354cc23135f7631b80e6b9cd19d6f767ebd55e78478d1ea9a3dd585
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 408 wrote to memory of 3968 408 rundll32.exe rundll32.exe PID 408 wrote to memory of 3968 408 rundll32.exe rundll32.exe PID 408 wrote to memory of 3968 408 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1128 3968 rundll32.exe cmd.exe PID 3968 wrote to memory of 1128 3968 rundll32.exe cmd.exe PID 3968 wrote to memory of 1128 3968 rundll32.exe cmd.exe PID 3968 wrote to memory of 2136 3968 rundll32.exe cmd.exe PID 3968 wrote to memory of 2136 3968 rundll32.exe cmd.exe PID 3968 wrote to memory of 2136 3968 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4fe0db5ea9c73bc364eed17a125e1ea7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4fe0db5ea9c73bc364eed17a125e1ea7.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵PID:1128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵PID:2136
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1128-115-0x0000000000000000-mapping.dmp
-
memory/2136-116-0x0000000000000000-mapping.dmp
-
memory/3968-114-0x0000000000000000-mapping.dmp
-
memory/3968-118-0x00000000738B0000-0x00000000739B4000-memory.dmpFilesize
1.0MB
-
memory/3968-117-0x00000000738B0000-0x00000000738BE000-memory.dmpFilesize
56KB
-
memory/3968-119-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB