Analysis
-
max time kernel
78s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-07-2021 20:28
Static task
static1
Behavioral task
behavioral1
Sample
3801a989edf1a3ac945a7af3b86e25d4c2e4c0be9f35115b24e198675fc05982.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
3801a989edf1a3ac945a7af3b86e25d4c2e4c0be9f35115b24e198675fc05982.dll
-
Size
937KB
-
MD5
f0768163be61e09e32af5108aa4b90ce
-
SHA1
cc43a6e718bd4cb5cc4cc8744d7d77a8e789909b
-
SHA256
3801a989edf1a3ac945a7af3b86e25d4c2e4c0be9f35115b24e198675fc05982
-
SHA512
7dcf3fa47b616ae2d7a4dd58197154635f8a90188fdccd4780d92636913ad4e88d475b1cc77a97162d2fdf0d9ef4379afc97de55c4062e663560ec03e43080c5
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 360 wrote to memory of 1900 360 rundll32.exe rundll32.exe PID 360 wrote to memory of 1900 360 rundll32.exe rundll32.exe PID 360 wrote to memory of 1900 360 rundll32.exe rundll32.exe PID 360 wrote to memory of 1900 360 rundll32.exe rundll32.exe PID 360 wrote to memory of 1900 360 rundll32.exe rundll32.exe PID 360 wrote to memory of 1900 360 rundll32.exe rundll32.exe PID 360 wrote to memory of 1900 360 rundll32.exe rundll32.exe PID 1900 wrote to memory of 1808 1900 rundll32.exe cmd.exe PID 1900 wrote to memory of 1808 1900 rundll32.exe cmd.exe PID 1900 wrote to memory of 1808 1900 rundll32.exe cmd.exe PID 1900 wrote to memory of 1808 1900 rundll32.exe cmd.exe PID 1900 wrote to memory of 2004 1900 rundll32.exe cmd.exe PID 1900 wrote to memory of 2004 1900 rundll32.exe cmd.exe PID 1900 wrote to memory of 2004 1900 rundll32.exe cmd.exe PID 1900 wrote to memory of 2004 1900 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3801a989edf1a3ac945a7af3b86e25d4c2e4c0be9f35115b24e198675fc05982.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3801a989edf1a3ac945a7af3b86e25d4c2e4c0be9f35115b24e198675fc05982.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵PID:1808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵PID:2004
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1808-62-0x0000000000000000-mapping.dmp
-
memory/1900-60-0x0000000000000000-mapping.dmp
-
memory/1900-61-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1900-65-0x0000000074790000-0x0000000074894000-memory.dmpFilesize
1.0MB
-
memory/1900-64-0x0000000074790000-0x000000007479E000-memory.dmpFilesize
56KB
-
memory/1900-66-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2004-63-0x0000000000000000-mapping.dmp