Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-12-2021 00:09
General
-
Target
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e.dll
-
Size
1.7MB
-
MD5
ea96ae41f6dec70ce9f72ae9ef783c52
-
SHA1
a8782fb8f277df06c3d18aa3ed1eee9280bd096e
-
SHA256
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
-
SHA512
fb1b90b36da6899c91212c6be582564c496f9fd10443235d7a1da736486f21de7495d30d9eaff4a90465aca7f282602f55cabd1d36c8678115062f2652c549ee
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
microsoft.com/windowsdisabler
windows.update3.com
berukoneru.website
gerukoneru.website
fortunarah.com
Attributes
-
base_path
/tire/
-
build
260222
-
dga_season
10
-
exe_type
loader
-
extension
.eta
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/760-54-0x0000000000000000-mapping.dmp
-
memory/760-55-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/760-57-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/760-58-0x0000000010000000-0x00000000101BF000-memory.dmpFilesize
1.7MB
-
memory/1088-53-0x000007FEFB711000-0x000007FEFB713000-memory.dmpFilesize
8KB