Analysis
-
max time kernel
19s -
max time network
33s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-06-2021 09:03
General
-
Target
60d1a6a1be17f.dll
-
Size
349KB
-
MD5
af580b336ff6905cd6b28f2cbb74efad
-
SHA1
671119f873ad83df335b97af20c1381efa97f7dc
-
SHA256
913535ed97ea88e3b80fe9032698ff77d697243cd8badf34aa9870e18c689121
-
SHA512
ab949f7c5fce9ac8ab8ea4563bf581204b691a8d62f1727c5bec507093bfc6d80e4c6d8be9ef0aa6d7773c08e219fb11b9f63415c82010b12a2e379eb162aa08
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8877
C2
outlook.com
gerimerunollu.club
herimerunollu.club
Attributes
-
build
250206
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60d1a6a1be17f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60d1a6a1be17f.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-60-0x0000000000000000-mapping.dmp
-
memory/1072-61-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/1072-63-0x0000000074A50000-0x0000000074B48000-memory.dmpFilesize
992KB
-
memory/1072-62-0x0000000074A50000-0x0000000074A5F000-memory.dmpFilesize
60KB
-
memory/1072-64-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB