Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en -
submitted
14-09-2021 09:34
Static task
static1
Behavioral task
behavioral1
Sample
61406c9abfcad.rar.dll
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
61406c9abfcad.rar.dll
-
Size
368KB
-
MD5
048cc67667ca451a201be5057c3dfc5a
-
SHA1
8126d4173c6e3536f1448ef66677e2df7c402f7f
-
SHA256
ded13d4a537d366c3f4e9bd00ac0db8d90d5b87554b0957ac38ae81968e76ad8
-
SHA512
fd20d67b9ef1643fe71bd5c584d11fc2d18d8f588f1fb9c0fcbf82616945e69dca15ae9aacbf23814335c0ca3a1df5326c530a4958656006a74ca813583cf93b
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8877
C2
outlook.com
permanentitaly.nl
jklooopooooreer.nl
Attributes
-
build
250212
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 16 4704 rundll32.exe 18 4704 rundll32.exe 20 4704 rundll32.exe 22 4704 rundll32.exe 24 4704 rundll32.exe 26 4704 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4688 wrote to memory of 4704 4688 rundll32.exe rundll32.exe PID 4688 wrote to memory of 4704 4688 rundll32.exe rundll32.exe PID 4688 wrote to memory of 4704 4688 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61406c9abfcad.rar.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61406c9abfcad.rar.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4704-115-0x0000000000000000-mapping.dmp
-
memory/4704-117-0x0000000010000000-0x000000001006C000-memory.dmpFilesize
432KB
-
memory/4704-116-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB
-
memory/4704-118-0x0000000003230000-0x0000000003231000-memory.dmpFilesize
4KB