Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 00:09
Static task
static1
Behavioral task
behavioral1
Sample
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e.dll
-
Size
1.7MB
-
MD5
ea96ae41f6dec70ce9f72ae9ef783c52
-
SHA1
a8782fb8f277df06c3d18aa3ed1eee9280bd096e
-
SHA256
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
-
SHA512
fb1b90b36da6899c91212c6be582564c496f9fd10443235d7a1da736486f21de7495d30d9eaff4a90465aca7f282602f55cabd1d36c8678115062f2652c549ee
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
microsoft.com/windowsdisabler
windows.update3.com
berukoneru.website
gerukoneru.website
fortunarah.com
Attributes
-
base_path
/tire/
-
build
260222
-
dga_season
10
-
exe_type
loader
-
extension
.eta
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3960 wrote to memory of 4048 3960 regsvr32.exe regsvr32.exe PID 3960 wrote to memory of 4048 3960 regsvr32.exe regsvr32.exe PID 3960 wrote to memory of 4048 3960 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e.dll2⤵