Analysis
-
max time kernel
28s -
max time network
44s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-06-2021 21:01
General
-
Target
SecuriteInfo.com..7135.20767.dll
-
Size
865KB
-
MD5
5ba7ac7fa4f9e831679832b6cc22aee8
-
SHA1
813df24ac22c2666b28bc3e7fb9bd1eef2a7f395
-
SHA256
d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
-
SHA512
a345b0749d5745640fd7908cdb142960da22ac6029bafddc0666d11eb5033756c3cfde84d2fb94dcbf418df40d2ce49ec4a18b919714402b7045b96e619a27cd
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1500
C2
authd.feronok.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com..7135.20767.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com..7135.20767.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1772-59-0x0000000000000000-mapping.dmp
-
memory/1772-60-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1772-61-0x0000000074460000-0x000000007446D000-memory.dmpFilesize
52KB
-
memory/1772-62-0x0000000074460000-0x0000000074551000-memory.dmpFilesize
964KB
-
memory/1772-63-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB