Analysis

  • max time kernel
    68s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    08/02/2022, 00:40

General

  • Target

    urban.dll

  • Size

    405KB

  • MD5

    8f6c878f21174f803a7879a4aee87b34

  • SHA1

    9f3bff82262133c9325bdebd282b71b58695906e

  • SHA256

    86b670d81a26ea394f7c0edebdc93e8f9bd6ce6e0a8d650e32a0fe36c93f0dee

  • SHA512

    8253513edf2e6f5b4890400aea147fea6f9467a2495f68ea2296e73a41fafbd635d6455336ab1a5a4e31a8059b75ad835aa17c9ba7f1fbbb416a4cc672f1f3d0

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1100

C2

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes
  • build

    250180

  • exe_type

    loader

  • server_id

    730

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\urban.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\urban.dll,#1
      2⤵
        PID:1688

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1688-54-0x0000000076151000-0x0000000076153000-memory.dmp

            Filesize

            8KB

          • memory/1688-56-0x00000000749E0000-0x0000000074AA0000-memory.dmp

            Filesize

            768KB

          • memory/1688-55-0x00000000749E0000-0x00000000749EF000-memory.dmp

            Filesize

            60KB

          • memory/1688-58-0x0000000000170000-0x0000000000171000-memory.dmp

            Filesize

            4KB

          • memory/1688-57-0x00000000749E0000-0x0000000074AA0000-memory.dmp

            Filesize

            768KB