Analysis
-
max time kernel
18s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-06-2021 14:33
General
-
Target
xadar7.dll
-
Size
388KB
-
MD5
25c2e1969e16e6832b977cbad8a0d3bb
-
SHA1
26f454e0fcf8437ec9af2c54f07bdde2d0b2cd7e
-
SHA256
1fa8b3b4043467e12e94010460c7a141529677390a606299385c35b1d4e30a4c
-
SHA512
b0ac5766eb14b8e4f021ee3179d41df7398923e10add161890b95f293ec9c1e7b6237c7e72c5481121a15a58d0e36727b7d43a28b2707c13b321446105b6d353
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
6000
C2
authd.feronok.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\xadar7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\xadar7.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1360-60-0x0000000000000000-mapping.dmp
-
memory/1360-61-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1360-63-0x0000000074520000-0x00000000745CF000-memory.dmpFilesize
700KB
-
memory/1360-62-0x0000000074520000-0x000000007452D000-memory.dmpFilesize
52KB
-
memory/1360-64-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB