Analysis

  • max time kernel
    146s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05-07-2021 15:02

General

  • Target

    3b17.dll

  • Size

    607KB

  • MD5

    3b17fcc55cee8cbe4cd1b443f358c36d

  • SHA1

    45d1e652f282a94b37ac32afb62ff563afb2fb39

  • SHA256

    9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6

  • SHA512

    6b299214396c3ea94d01f7211ffed949f4e615c12586d2191b633c12f6d7d2881c01bc2d1b360bf05d15b58c604104e222d7f33297e63c067144de4bf2c5c337

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b17.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b17.dll,#1
      2⤵
        PID:1308

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1308-114-0x0000000000000000-mapping.dmp
    • memory/1308-115-0x00000000741C0000-0x00000000741CD000-memory.dmp
      Filesize

      52KB

    • memory/1308-116-0x00000000741C0000-0x00000000742F0000-memory.dmp
      Filesize

      1.2MB

    • memory/1308-117-0x00000000029F0000-0x00000000029F1000-memory.dmp
      Filesize

      4KB