Analysis
-
max time kernel
60s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-05-2021 05:58
Static task
static1
Behavioral task
behavioral1
Sample
093da571ba1e30c1491752f8e857f211.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
093da571ba1e30c1491752f8e857f211.dll
-
Size
937KB
-
MD5
093da571ba1e30c1491752f8e857f211
-
SHA1
cf66bc89ff8de954ee6ef1a4b802bea5a44933be
-
SHA256
49d253dfbd7c2257c1c2f2d703e94df19aaaa68c9d77abea2a6f4b9c12996a41
-
SHA512
e3845002c4339091e2ed29473fd8d9039b8513ee6d973beb23c0b0018768c45495bcd35ebd415851fe630aa60bf879fd3b00c0e778992dd84f5bc52feb939403
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3400 wrote to memory of 2264 3400 rundll32.exe rundll32.exe PID 3400 wrote to memory of 2264 3400 rundll32.exe rundll32.exe PID 3400 wrote to memory of 2264 3400 rundll32.exe rundll32.exe PID 2264 wrote to memory of 1088 2264 rundll32.exe cmd.exe PID 2264 wrote to memory of 1088 2264 rundll32.exe cmd.exe PID 2264 wrote to memory of 1088 2264 rundll32.exe cmd.exe PID 2264 wrote to memory of 2148 2264 rundll32.exe cmd.exe PID 2264 wrote to memory of 2148 2264 rundll32.exe cmd.exe PID 2264 wrote to memory of 2148 2264 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\093da571ba1e30c1491752f8e857f211.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\093da571ba1e30c1491752f8e857f211.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1088-115-0x0000000000000000-mapping.dmp
-
memory/2148-116-0x0000000000000000-mapping.dmp
-
memory/2264-114-0x0000000000000000-mapping.dmp
-
memory/2264-117-0x00000000741D0000-0x00000000741DE000-memory.dmpFilesize
56KB
-
memory/2264-118-0x00000000741D0000-0x00000000742D4000-memory.dmpFilesize
1.0MB
-
memory/2264-119-0x0000000002F10000-0x000000000305A000-memory.dmpFilesize
1.3MB