Analysis

  • max time kernel
    4294214s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    19/03/2022, 11:13

General

  • Target

    0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4.dll

  • Size

    590KB

  • MD5

    cce6b64754d50f47c31a6ce2d7b47bec

  • SHA1

    37a43ffb09c402d1b415414ad02c723a678d409e

  • SHA256

    0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4

  • SHA512

    8fa6ee3532fc51c34527e8592b39f0079ec644980670c168235a1436b7d0c2ec6ccaeb00e42314189ed4d5870e5247bc556b633a5c82b07cb0b3fbb4b111065f

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1265

C2

updates.microsoft.com

remuloga.top

reconders.top

Attributes
  • build

    250167

  • dga_season

    10

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 57 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4.dll,#1
      2⤵
        PID:1868
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:676
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:1200
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:748

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1868-54-0x00000000758A1000-0x00000000758A3000-memory.dmp

            Filesize

            8KB

          • memory/1868-56-0x0000000000260000-0x0000000000270000-memory.dmp

            Filesize

            64KB

          • memory/1868-55-0x0000000000260000-0x0000000000270000-memory.dmp

            Filesize

            64KB

          • memory/1868-57-0x00000000001C0000-0x000000000020B000-memory.dmp

            Filesize

            300KB

          • memory/1868-58-0x0000000000350000-0x0000000000352000-memory.dmp

            Filesize

            8KB