Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
08-06-2021 07:50
General
-
Target
c8b221612741b1116297e99c98d91224.dll
-
Size
886KB
-
MD5
c8b221612741b1116297e99c98d91224
-
SHA1
6d24661f65e17e414f870922fc1990a66ef8d26f
-
SHA256
11d689b83c6bfd20e566c5cb71773e1f66cc32f43d44ccf5a1566886fb42c49d
-
SHA512
76a35574e67ac683a653f461d8fccd943d2ced7ce747c1f7eea0ced29d56d8cb80174c83e1b7c6c44311b0bd97daaf8d0664a64a946ee30a165901823a7751e8
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1500
C2
authd.feronok.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8b221612741b1116297e99c98d91224.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8b221612741b1116297e99c98d91224.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2000-59-0x0000000000000000-mapping.dmp
-
memory/2000-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/2000-62-0x0000000074CB0000-0x0000000074DDB000-memory.dmpFilesize
1.2MB
-
memory/2000-61-0x0000000074CB0000-0x0000000074CBD000-memory.dmpFilesize
52KB
-
memory/2000-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB