Analysis
-
max time kernel
94s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19/03/2022, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
54ea3470b7b6a4653c7253a874118971b842c3d38dcca7f65f3ec4446b63dff9.dll
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
54ea3470b7b6a4653c7253a874118971b842c3d38dcca7f65f3ec4446b63dff9.dll
-
Size
456KB
-
MD5
25a65068db29d21f15626ed5a89f0940
-
SHA1
047f91c8f3cd95a0b5dbfc402607f73a96943730
-
SHA256
54ea3470b7b6a4653c7253a874118971b842c3d38dcca7f65f3ec4446b63dff9
-
SHA512
1f06b0a9105821470d1ed7444ec769e2448f00d269adf4bc4942295787b154e0baee48f6a22e8687f4a06307e33c5829035558b4ea331b62a49d31400d47741e
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1100
C2
golang.feel500.at/api1
api10.laptok.at/api1
Attributes
-
build
250171
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
730
rsa_pubkey.plain
serpent.plain
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4860 4304 WerFault.exe 79 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4304 4920 rundll32.exe 79 PID 4920 wrote to memory of 4304 4920 rundll32.exe 79 PID 4920 wrote to memory of 4304 4920 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54ea3470b7b6a4653c7253a874118971b842c3d38dcca7f65f3ec4446b63dff9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54ea3470b7b6a4653c7253a874118971b842c3d38dcca7f65f3ec4446b63dff9.dll,#12⤵PID:4304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 6203⤵
- Program crash
PID:4860
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4304 -ip 43041⤵PID:1276