Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06/02/2022, 21:46

General

  • Target

    trainmen.dll

  • Size

    160KB

  • MD5

    24433fe5aed50417b17663e46bacf92c

  • SHA1

    6ff9b5c8ff0fc10f3bcce07c4f4fda2eaa351188

  • SHA256

    263be47f602b2156c9282afdd6a0f1fe9bb9022cef2eb0a821e8d8153d3a8d06

  • SHA512

    c833a0e82e83e663eb362e7c18ae737d5750df2f1ad55ba68ba33ab87ed3d181b30bc8672f0a58e60ea25c0067b548e11d90cd8c8b4f566450fec01712900720

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2200

C2

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes
  • build

    250180

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\trainmen.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\trainmen.dll
      2⤵
        PID:1252

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/852-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

            Filesize

            8KB

          • memory/1252-55-0x0000000075761000-0x0000000075763000-memory.dmp

            Filesize

            8KB

          • memory/1252-57-0x0000000074890000-0x00000000748D0000-memory.dmp

            Filesize

            256KB

          • memory/1252-56-0x0000000074890000-0x000000007489F000-memory.dmp

            Filesize

            60KB

          • memory/1252-58-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB