Analysis

  • max time kernel
    19s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-06-2021 09:03

General

  • Target

    60d1a6a1be17f.dll

  • Size

    349KB

  • MD5

    af580b336ff6905cd6b28f2cbb74efad

  • SHA1

    671119f873ad83df335b97af20c1381efa97f7dc

  • SHA256

    913535ed97ea88e3b80fe9032698ff77d697243cd8badf34aa9870e18c689121

  • SHA512

    ab949f7c5fce9ac8ab8ea4563bf581204b691a8d62f1727c5bec507093bfc6d80e4c6d8be9ef0aa6d7773c08e219fb11b9f63415c82010b12a2e379eb162aa08

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

outlook.com

gerimerunollu.club

herimerunollu.club

Attributes
  • build

    250206

  • dga_season

    10

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\60d1a6a1be17f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\60d1a6a1be17f.dll,#1
      2⤵
        PID:1072

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1072-60-0x0000000000000000-mapping.dmp

    • memory/1072-61-0x0000000075011000-0x0000000075013000-memory.dmp

      Filesize

      8KB

    • memory/1072-63-0x0000000074A50000-0x0000000074B48000-memory.dmp

      Filesize

      992KB

    • memory/1072-62-0x0000000074A50000-0x0000000074A5F000-memory.dmp

      Filesize

      60KB

    • memory/1072-64-0x0000000000120000-0x0000000000121000-memory.dmp

      Filesize

      4KB