Analysis
-
max time kernel
74s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
29-05-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
e831ff515cc180c75f785d3cb2a87f44.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
e831ff515cc180c75f785d3cb2a87f44.dll
-
Size
937KB
-
MD5
e831ff515cc180c75f785d3cb2a87f44
-
SHA1
14fb663817ee2a7fe2fed270c8df00450965ef23
-
SHA256
342d0e49cdf1ed074223c1f34f5d98e882716cf7f2804e47b974238f416a8313
-
SHA512
c6f59dedbf571d20b239996977a928d09a0dd91564fe05f6830284f832a978886d25ca975c558f4f51180c1c4657dd6961eb9c6e1971a7482859e9d924c83f92
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 660 wrote to memory of 1884 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1884 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1884 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1884 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1884 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1884 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 1884 660 rundll32.exe rundll32.exe PID 1884 wrote to memory of 840 1884 rundll32.exe cmd.exe PID 1884 wrote to memory of 840 1884 rundll32.exe cmd.exe PID 1884 wrote to memory of 840 1884 rundll32.exe cmd.exe PID 1884 wrote to memory of 840 1884 rundll32.exe cmd.exe PID 1884 wrote to memory of 1352 1884 rundll32.exe cmd.exe PID 1884 wrote to memory of 1352 1884 rundll32.exe cmd.exe PID 1884 wrote to memory of 1352 1884 rundll32.exe cmd.exe PID 1884 wrote to memory of 1352 1884 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e831ff515cc180c75f785d3cb2a87f44.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e831ff515cc180c75f785d3cb2a87f44.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵PID:840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵PID:1352
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/840-61-0x0000000000000000-mapping.dmp
-
memory/1352-62-0x0000000000000000-mapping.dmp
-
memory/1884-60-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/1884-59-0x0000000000000000-mapping.dmp
-
memory/1884-64-0x0000000074320000-0x0000000074424000-memory.dmpFilesize
1.0MB
-
memory/1884-63-0x0000000074320000-0x000000007432E000-memory.dmpFilesize
56KB
-
memory/1884-65-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB