Analysis
-
max time kernel
4294180s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
21/03/2022, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll
Resource
win7-20220310-en
0 signatures
0 seconds
General
-
Target
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll
-
Size
2.7MB
-
MD5
203b91c7b2a358455f5f62a6509cda53
-
SHA1
3ace5fbaa20e144a6e81a83ab7bcbe7e71123808
-
SHA256
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
-
SHA512
c3934f22a236319b9ffd99d0d44ec14281725c4c8454da2cc64d6aeee86e71487b9056a4e92e6b0ff265b704f4e8eccc3c172fc172e8810261962ddcd7fb1f1b
Malware Config
Extracted
Family
gozi_ifsb
Botnet
7613
C2
interlines.top
interlines.space
linkspremium.ru
premiumlists.ru
Attributes
-
base_path
/drew/
-
build
250225
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1764 1752 regsvr32.exe 27 PID 1752 wrote to memory of 1764 1752 regsvr32.exe 27 PID 1752 wrote to memory of 1764 1752 regsvr32.exe 27 PID 1752 wrote to memory of 1764 1752 regsvr32.exe 27 PID 1752 wrote to memory of 1764 1752 regsvr32.exe 27 PID 1752 wrote to memory of 1764 1752 regsvr32.exe 27 PID 1752 wrote to memory of 1764 1752 regsvr32.exe 27
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll2⤵PID:1764
-