Analysis
-
max time kernel
31s -
max time network
55s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-07-2021 14:39
General
-
Target
d1a5c.dll
-
Size
420KB
-
MD5
d1a5cea82aad4498789085900147ca86
-
SHA1
9ba635f6bca95ccb96db70eb3247cc2191f2c7d3
-
SHA256
2d49495a14202da33b0d3215668e55cfe873e4deff2bfb892a6227fc23b936fe
-
SHA512
d11b5901c0793f53b19ef648cde8e1c588a1311bf77efcce9fa5cdf5f312fbdca27c56a1230329b758a8aa4043a81bd21cb530c5da4128ccce2aad3dca20c5fe
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
gtr.antoinfer.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1a5c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1a5c.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2032-61-0x0000000000890000-0x0000000000991000-memory.dmpFilesize
1.0MB
-
memory/2032-60-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/2032-59-0x0000000000000000-mapping.dmp
-
memory/2032-62-0x0000000000890000-0x000000000089D000-memory.dmpFilesize
52KB
-
memory/2032-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB