Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19/03/2022, 11:13
Static task
static1
Behavioral task
behavioral1
Sample
0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4.dll
Resource
win7-20220310-en
0 signatures
0 seconds
General
-
Target
0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4.dll
-
Size
590KB
-
MD5
cce6b64754d50f47c31a6ce2d7b47bec
-
SHA1
37a43ffb09c402d1b415414ad02c723a678d409e
-
SHA256
0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4
-
SHA512
8fa6ee3532fc51c34527e8592b39f0079ec644980670c168235a1436b7d0c2ec6ccaeb00e42314189ed4d5870e5247bc556b633a5c82b07cb0b3fbb4b111065f
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1265
C2
updates.microsoft.com
remuloga.top
reconders.top
Attributes
-
build
250167
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1952 384 WerFault.exe 78 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3304 wrote to memory of 384 3304 rundll32.exe 78 PID 3304 wrote to memory of 384 3304 rundll32.exe 78 PID 3304 wrote to memory of 384 3304 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ab16b64a92305fad3b7a89ac458e68d91eeac1a583855cbd12a35c7f86524a4.dll,#12⤵PID:384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 5923⤵
- Program crash
PID:1952
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 384 -ip 3841⤵PID:1652