Analysis
-
max time kernel
73s -
max time network
34s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
25ccb64f72c46f7762a0c2b7b26aac04.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
25ccb64f72c46f7762a0c2b7b26aac04.dll
-
Size
937KB
-
MD5
25ccb64f72c46f7762a0c2b7b26aac04
-
SHA1
bcc71c44f04bda1bc063c448922faee59ee72663
-
SHA256
fc9fffd970b6271c16e4717cc257d68d74a73257f59d60f76ddda28d9e729ed3
-
SHA512
e4a421ae14fb0bab4d6001f191429c99222356f1d5dc3b531b76875a54ac1b3fbebdd905d1c293bbdd22f29cdc28a113ccc6ef09cfc3271c21edf8c2b27f1708
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 916 wrote to memory of 1664 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 1664 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 1664 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 1664 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 1664 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 1664 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 1664 916 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1488 1664 rundll32.exe cmd.exe PID 1664 wrote to memory of 1488 1664 rundll32.exe cmd.exe PID 1664 wrote to memory of 1488 1664 rundll32.exe cmd.exe PID 1664 wrote to memory of 1488 1664 rundll32.exe cmd.exe PID 1664 wrote to memory of 1972 1664 rundll32.exe cmd.exe PID 1664 wrote to memory of 1972 1664 rundll32.exe cmd.exe PID 1664 wrote to memory of 1972 1664 rundll32.exe cmd.exe PID 1664 wrote to memory of 1972 1664 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25ccb64f72c46f7762a0c2b7b26aac04.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25ccb64f72c46f7762a0c2b7b26aac04.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-2-0x0000000000000000-mapping.dmp
-
memory/1664-0-0x0000000000000000-mapping.dmp
-
memory/1664-1-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/1664-64-0x0000000074A30000-0x0000000074A3E000-memory.dmpFilesize
56KB
-
memory/1664-65-0x0000000074A30000-0x0000000074B34000-memory.dmpFilesize
1.0MB
-
memory/1664-66-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1972-3-0x0000000000000000-mapping.dmp