Overview

overview

10

Static

static

textual.dll

windows7_x64

10

textual.dll

windows10_x64

10

Analysis

  • max time kernel
    24s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-06-2021 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    textual.dll

  • Size

    590KB

  • MD5

    f1daeecad06895db6b2c94f7eb1028a1

  • SHA1

    12713fcec29130f2baefac245b30b4686ed7bb9b

  • SHA256

    c7ba05674f44747d5685f36313fc0a77bc5afea3035fa0d14ee2f4dbfbcbff5c

  • SHA512

    b0e17110cc4749e15b5659aa6aa542286c9617ae291f5666b48131ad73fc4e6de1e61d4a4a8b163093ff41d3ec8ea05bb491bac17e20d9a0574acd912e44d6c0

Score
10/10
gozi_ifsb4500bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4500

C2

authd.feronok.com

app.bighomegl.at
Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\textual.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\textual.dll,#1
      2⤵
        PID:1320

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1320-114-0x0000000000000000-mapping.dmp
      Download
    • memory/1320-115-0x0000000073E50000-0x0000000073E5D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1320-116-0x0000000073E50000-0x0000000073F7C000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1320-117-0x0000000003710000-0x0000000003733000-memory.dmp
      Filesize

      140KB

      Download