Overview

overview

10

Static

static

3a94.dll

windows7_x64

10

3a94.dll

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05-07-2021 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a94.dll

  • Size

    607KB

  • MD5

    3a943173c6de419b7078e88c20997838

  • SHA1

    56567824c6b5c62112a74daa7a1a66e2ec0505d3

  • SHA256

    af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836

  • SHA512

    801f8f86158c23a44499fc8c5364cb6353a44fba09015d118341e1bd07a568fe4c2fe4b93ca691bb45b41b5f6ee2a6f73d7ffbfde3eb9cd7293295ffc530693c

Score
10/10
gozi_ifsb6000bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

gtr.antoinfer.com

app.bighomegl.at
Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a94.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a94.dll,#1
      2⤵
        PID:1168

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1168-114-0x0000000000000000-mapping.dmp
      Download
    • memory/1168-115-0x00000000735D0000-0x00000000735DD000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1168-116-0x00000000735D0000-0x0000000073700000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1168-117-0x0000000002E50000-0x0000000002EDE000-memory.dmp
      Filesize

      568KB

      Download