Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-11-2021 12:48
General
-
Target
b39e97bde83db04c795d18b8f67e19ea.dll
-
Size
133KB
-
MD5
b39e97bde83db04c795d18b8f67e19ea
-
SHA1
d790b9fc4b6e37035357f1bcf3948b66c6931f15
-
SHA256
bce328beb9ae78ec279dc17bf701d58cb1cfa12ff570b00c78c0ada6893c80cf
-
SHA512
23839fbd59a5cefe9092e210a8abec08999f51a033f0ee44e6e008a4e6bf74b91eb6498b6ab756cc2bda242149c3a382a7cd0ad0d7c783ec3f48f7c95128fc54
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
microsoft.com/windowsdisabler
https://technoshoper.com
https://avolebukoneh.website
http://technoshoper.com
http://avolebukoneh.website
Attributes
-
build
260216
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b39e97bde83db04c795d18b8f67e19ea.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b39e97bde83db04c795d18b8f67e19ea.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2636-115-0x0000000000000000-mapping.dmp
-
memory/2636-116-0x0000000000820000-0x000000000082F000-memory.dmpFilesize
60KB