Analysis
-
max time kernel
58s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-07-2021 20:18
Static task
static1
Behavioral task
behavioral1
Sample
7f851519359f94a4921d20fcd82cf24ab821fac1a1c7c2f55553acb43ca49560.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
7f851519359f94a4921d20fcd82cf24ab821fac1a1c7c2f55553acb43ca49560.dll
-
Size
937KB
-
MD5
bafb0686a3114b7fe13cff6f07fffe81
-
SHA1
f26577bb6e24d82529b875139065c290d4bf0e89
-
SHA256
7f851519359f94a4921d20fcd82cf24ab821fac1a1c7c2f55553acb43ca49560
-
SHA512
85faf853aad8de4ff9284c688a76b54f504604ef3866a24c2ae6f1bfce2b17016716288272f32296ad5d084b21ed73a8f87c0499516bf850174ef6825423ce70
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1852 wrote to memory of 1000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 1000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 1000 1852 rundll32.exe rundll32.exe PID 1000 wrote to memory of 1484 1000 rundll32.exe cmd.exe PID 1000 wrote to memory of 1484 1000 rundll32.exe cmd.exe PID 1000 wrote to memory of 1484 1000 rundll32.exe cmd.exe PID 1000 wrote to memory of 2252 1000 rundll32.exe cmd.exe PID 1000 wrote to memory of 2252 1000 rundll32.exe cmd.exe PID 1000 wrote to memory of 2252 1000 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f851519359f94a4921d20fcd82cf24ab821fac1a1c7c2f55553acb43ca49560.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f851519359f94a4921d20fcd82cf24ab821fac1a1c7c2f55553acb43ca49560.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵PID:2252
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1000-114-0x0000000000000000-mapping.dmp
-
memory/1000-118-0x0000000073DA0000-0x0000000073EA4000-memory.dmpFilesize
1.0MB
-
memory/1000-117-0x0000000073DA0000-0x0000000073DAE000-memory.dmpFilesize
56KB
-
memory/1000-119-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/1484-115-0x0000000000000000-mapping.dmp
-
memory/2252-116-0x0000000000000000-mapping.dmp