Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-10-2021 21:22
General
-
Target
4edfb1b3a28524cdf10d2e10ba4e6411013607949359987c07d3d715bfca3cce.dll
-
Size
497KB
-
MD5
11e1bb1bb27820c92a7c4a4c1a356184
-
SHA1
99755d73681d052d3391c9f2b90030272faa640f
-
SHA256
4edfb1b3a28524cdf10d2e10ba4e6411013607949359987c07d3d715bfca3cce
-
SHA512
52effae2a754dcd59501620f3567bf3f4ed4e2faad02d15dbf53483710e2504be572b35f5cce74a1923df6f77641acfd612cc99e829d27787b5827c4b14063c8
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1500
C2
apt.updateffboruse.com
app.updatebrouser.com
Attributes
-
build
250211
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4edfb1b3a28524cdf10d2e10ba4e6411013607949359987c07d3d715bfca3cce.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4edfb1b3a28524cdf10d2e10ba4e6411013607949359987c07d3d715bfca3cce.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-55-0x0000000000000000-mapping.dmp
-
memory/1524-56-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1524-57-0x00000000750F0000-0x0000000075208000-memory.dmpFilesize
1.1MB
-
memory/1524-59-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1524-60-0x00000000750F0000-0x0000000075208000-memory.dmpFilesize
1.1MB
-
memory/1524-58-0x00000000750F0000-0x00000000750FD000-memory.dmpFilesize
52KB