Analysis
-
max time kernel
69s -
max time network
37s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-06-2021 20:05
General
-
Target
boxMain.jpg.dll
-
Size
306KB
-
MD5
98d030eeefc3536d68ccb9ae3a2d1502
-
SHA1
9f7d95691e0116f7c0d0f222de2149b073ef6cb6
-
SHA256
a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c
-
SHA512
bbfbd2525c24a5c0474d001f61edabed1ff05f83fb574eb16790e36298da80d8a56d10f28582340f438a3483d232a4efd19055b687fc773aef25856148c2ba52
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
6000
C2
authd.feronok.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\boxMain.jpg.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\boxMain.jpg.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1928-59-0x0000000000000000-mapping.dmp
-
memory/1928-60-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/1928-62-0x0000000074820000-0x000000007490A000-memory.dmpFilesize
936KB
-
memory/1928-61-0x0000000074820000-0x000000007482D000-memory.dmpFilesize
52KB
-
memory/1928-63-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB