Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 14:08
General
-
Target
b76097aaa0ca490e5eb6b5a2dd13c5bc.dll
-
Size
549KB
-
MD5
b76097aaa0ca490e5eb6b5a2dd13c5bc
-
SHA1
9920ece38424d7902ffb7c28ae1b5c0d33e19aa8
-
SHA256
8f409a0d417462b342281b3f869a397ed4f5b8fd5841d140c8c57e7df39ff4b0
-
SHA512
16457a472ae064ccb3f8dc2e2d3231380c58c607f947a0570ac2a0cb54babbb27f542a778f367bcf81f15715da6378525b0e6e4fc10e2b571051a1bf8e3edb37
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
http://microsoft.com.login/
https://premiumweare.com
https://gloverunomai.com
Attributes
-
build
260212
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Blocklisted process makes network request 13 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b76097aaa0ca490e5eb6b5a2dd13c5bc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b76097aaa0ca490e5eb6b5a2dd13c5bc.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2708-115-0x0000000000000000-mapping.dmp
-
memory/2708-116-0x0000000074230000-0x00000000742CB000-memory.dmpFilesize
620KB
-
memory/2708-117-0x0000000074230000-0x000000007423F000-memory.dmpFilesize
60KB
-
memory/2708-118-0x0000000074230000-0x00000000742CB000-memory.dmpFilesize
620KB
-
memory/2708-119-0x0000000002DB0000-0x0000000002DB1000-memory.dmpFilesize
4KB