Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 14:08
General
-
Target
b76097aaa0ca490e5eb6b5a2dd13c5bc.dll
-
Size
549KB
-
MD5
b76097aaa0ca490e5eb6b5a2dd13c5bc
-
SHA1
9920ece38424d7902ffb7c28ae1b5c0d33e19aa8
-
SHA256
8f409a0d417462b342281b3f869a397ed4f5b8fd5841d140c8c57e7df39ff4b0
-
SHA512
16457a472ae064ccb3f8dc2e2d3231380c58c607f947a0570ac2a0cb54babbb27f542a778f367bcf81f15715da6378525b0e6e4fc10e2b571051a1bf8e3edb37
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
http://microsoft.com.login/
https://premiumweare.com
https://gloverunomai.com
Attributes
-
build
260212
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b76097aaa0ca490e5eb6b5a2dd13c5bc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b76097aaa0ca490e5eb6b5a2dd13c5bc.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1564-54-0x0000000000000000-mapping.dmp
-
memory/1564-55-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/1564-56-0x0000000074D50000-0x0000000074DEB000-memory.dmpFilesize
620KB
-
memory/1564-57-0x0000000074D50000-0x0000000074D5F000-memory.dmpFilesize
60KB
-
memory/1564-58-0x0000000074D50000-0x0000000074DEB000-memory.dmpFilesize
620KB
-
memory/1564-59-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB