Analysis

  • max time kernel
    4294180s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    21/03/2022, 08:14

General

  • Target

    e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll

  • Size

    2.7MB

  • MD5

    203b91c7b2a358455f5f62a6509cda53

  • SHA1

    3ace5fbaa20e144a6e81a83ab7bcbe7e71123808

  • SHA256

    e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3

  • SHA512

    c3934f22a236319b9ffd99d0d44ec14281725c4c8454da2cc64d6aeee86e71487b9056a4e92e6b0ff265b704f4e8eccc3c172fc172e8810261962ddcd7fb1f1b

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7613

C2

interlines.top

interlines.space

linkspremium.ru

premiumlists.ru

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll
      2⤵
        PID:1764

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1752-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

            Filesize

            8KB

          • memory/1764-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

            Filesize

            8KB

          • memory/1764-56-0x0000000000220000-0x0000000000257000-memory.dmp

            Filesize

            220KB

          • memory/1764-57-0x0000000074CD0000-0x0000000074F7B000-memory.dmp

            Filesize

            2.7MB