Analysis
-
max time kernel
76s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-05-2021 19:06
Static task
static1
Behavioral task
behavioral1
Sample
c887b7b0ad16d35114d83e25f723f3c9.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
c887b7b0ad16d35114d83e25f723f3c9.dll
-
Size
937KB
-
MD5
c887b7b0ad16d35114d83e25f723f3c9
-
SHA1
9e9c1836ef0a0a4e089a643123d1ab77624d2e80
-
SHA256
7d2d2b783767c912afd95995db9c019b2791eed1c812c90c266353ac372e1fa7
-
SHA512
7456c2c6c9c39c01c56b316af9da8a19a376acac22cab4a10a473407d2681cec424e1d0eee17332aab8e4b73f53d9f5d06c4d198c2b26bb56c0a75927cd3b7c7
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1472 wrote to memory of 1660 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1660 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1660 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1660 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1660 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1660 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1660 1472 rundll32.exe rundll32.exe PID 1660 wrote to memory of 836 1660 rundll32.exe cmd.exe PID 1660 wrote to memory of 836 1660 rundll32.exe cmd.exe PID 1660 wrote to memory of 836 1660 rundll32.exe cmd.exe PID 1660 wrote to memory of 836 1660 rundll32.exe cmd.exe PID 1660 wrote to memory of 1508 1660 rundll32.exe cmd.exe PID 1660 wrote to memory of 1508 1660 rundll32.exe cmd.exe PID 1660 wrote to memory of 1508 1660 rundll32.exe cmd.exe PID 1660 wrote to memory of 1508 1660 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c887b7b0ad16d35114d83e25f723f3c9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c887b7b0ad16d35114d83e25f723f3c9.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-61-0x0000000000000000-mapping.dmp
-
memory/1508-62-0x0000000000000000-mapping.dmp
-
memory/1660-59-0x0000000000000000-mapping.dmp
-
memory/1660-60-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1660-64-0x0000000074D80000-0x0000000074E84000-memory.dmpFilesize
1.0MB
-
memory/1660-63-0x0000000074D80000-0x0000000074D8E000-memory.dmpFilesize
56KB
-
memory/1660-65-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB