Overview

overview

10

Static

static

e831ff515c...44.dll

windows7_x64

10

e831ff515c...44.dll

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    29-05-2021 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e831ff515cc180c75f785d3cb2a87f44.dll

  • Size

    937KB

  • MD5

    e831ff515cc180c75f785d3cb2a87f44

  • SHA1

    14fb663817ee2a7fe2fed270c8df00450965ef23

  • SHA256

    342d0e49cdf1ed074223c1f34f5d98e882716cf7f2804e47b974238f416a8313

  • SHA512

    c6f59dedbf571d20b239996977a928d09a0dd91564fe05f6830284f832a978886d25ca975c558f4f51180c1c4657dd6961eb9c6e1971a7482859e9d924c83f92

Score
10/10
gozi_ifsb4500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

app3.maintorna.com

chat.billionady.com

app5.folion.xyz

wer.defone.click
Attributes
  • build

    250188

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e831ff515cc180c75f785d3cb2a87f44.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e831ff515cc180c75f785d3cb2a87f44.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cd Island
        3⤵
          PID:2892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cd Matter m
          3⤵
            PID:412

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/412-116-0x0000000000000000-mapping.dmp

        Download

      • memory/2892-115-0x0000000000000000-mapping.dmp

        Download

      • memory/3148-114-0x0000000000000000-mapping.dmp

        Download

      • memory/3148-118-0x00000000735F0000-0x00000000736F4000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3148-117-0x00000000735F0000-0x00000000735FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3148-119-0x0000000000A20000-0x0000000000ACE000-memory.dmp

        Filesize

        696KB

        Download