Analysis
-
max time kernel
71s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-06-2021 12:09
Static task
static1
Behavioral task
behavioral1
Sample
339f3c74c70ecad94a1ed77ed695e0e184f4547be4d528c80d37ea7573c4bde0.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
339f3c74c70ecad94a1ed77ed695e0e184f4547be4d528c80d37ea7573c4bde0.dll
-
Size
937KB
-
MD5
941ccb3a8c0e865c06cc8a6aa29e1bc6
-
SHA1
454885f5d511ecd33f93cb96e3afbc2c01f37f22
-
SHA256
339f3c74c70ecad94a1ed77ed695e0e184f4547be4d528c80d37ea7573c4bde0
-
SHA512
ace5f70b832d8cf164eafdbf2193b471345d04b621d23faadb11ca1b0e33648b9df89becfe7c0be54aa3e6f88e6d6e8dd9efc8e44d9c96eee542e33ec493f60c
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1820 wrote to memory of 2004 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 2004 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 2004 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 2004 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 2004 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 2004 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 2004 1820 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1156 2004 rundll32.exe cmd.exe PID 2004 wrote to memory of 1156 2004 rundll32.exe cmd.exe PID 2004 wrote to memory of 1156 2004 rundll32.exe cmd.exe PID 2004 wrote to memory of 1156 2004 rundll32.exe cmd.exe PID 2004 wrote to memory of 2028 2004 rundll32.exe cmd.exe PID 2004 wrote to memory of 2028 2004 rundll32.exe cmd.exe PID 2004 wrote to memory of 2028 2004 rundll32.exe cmd.exe PID 2004 wrote to memory of 2028 2004 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\339f3c74c70ecad94a1ed77ed695e0e184f4547be4d528c80d37ea7573c4bde0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\339f3c74c70ecad94a1ed77ed695e0e184f4547be4d528c80d37ea7573c4bde0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1156-61-0x0000000000000000-mapping.dmp
-
memory/2004-59-0x0000000000000000-mapping.dmp
-
memory/2004-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/2004-64-0x0000000074C00000-0x0000000074D04000-memory.dmpFilesize
1.0MB
-
memory/2004-63-0x0000000074C00000-0x0000000074C0E000-memory.dmpFilesize
56KB
-
memory/2004-65-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2028-62-0x0000000000000000-mapping.dmp