Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 10:15
General
-
Target
617683636aa85.tiff.dll
-
Size
942KB
-
MD5
63bf1fa8174987625e5e43cb0ed13e82
-
SHA1
644b87f4721c0b9b5409d19717dffea20b788081
-
SHA256
42b7c2ea97c98f21d2a5fb271364530115369f9bb08ef03fa57013cc036b6f00
-
SHA512
1ddd98f42cb271bd55f96a2291951ec761f81b8958269e67166c74ff40c3ce65a96c0011c4a024a6b1c54709043ab8cba4b22ddefa435b20696556057c2737f8
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
msn.com/mail
realitystorys.com
outlook.com/signup
gderrrpololo.net
Attributes
-
build
260212
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Blocklisted process makes network request 14 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\617683636aa85.tiff.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\617683636aa85.tiff.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2856-115-0x0000000000000000-mapping.dmp
-
memory/2856-116-0x0000000073E90000-0x0000000073F94000-memory.dmpFilesize
1.0MB
-
memory/2856-117-0x0000000073E90000-0x0000000073E9F000-memory.dmpFilesize
60KB
-
memory/2856-118-0x0000000073E90000-0x0000000073F94000-memory.dmpFilesize
1.0MB
-
memory/2856-119-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB