Analysis

  • max time kernel
    163s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    21/03/2022, 08:14

General

  • Target

    e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll

  • Size

    2.7MB

  • MD5

    203b91c7b2a358455f5f62a6509cda53

  • SHA1

    3ace5fbaa20e144a6e81a83ab7bcbe7e71123808

  • SHA256

    e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3

  • SHA512

    c3934f22a236319b9ffd99d0d44ec14281725c4c8454da2cc64d6aeee86e71487b9056a4e92e6b0ff265b704f4e8eccc3c172fc172e8810261962ddcd7fb1f1b

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7613

C2

interlines.top

interlines.space

linkspremium.ru

premiumlists.ru

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Drops file in Windows directory 30 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3.dll
      2⤵
        PID:3564
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Drops file in Windows directory
      PID:3856
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
      1⤵
        PID:1536

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3564-134-0x0000000001420000-0x0000000001457000-memory.dmp

              Filesize

              220KB

            • memory/3564-135-0x0000000075140000-0x00000000753EB000-memory.dmp

              Filesize

              2.7MB

            • memory/3856-136-0x0000025646950000-0x0000025646960000-memory.dmp

              Filesize

              64KB

            • memory/3856-137-0x0000025647360000-0x0000025647370000-memory.dmp

              Filesize

              64KB

            • memory/3856-138-0x00000256498D0000-0x00000256498D4000-memory.dmp

              Filesize

              16KB

            • memory/3856-139-0x0000025649C50000-0x0000025649C54000-memory.dmp

              Filesize

              16KB

            • memory/3856-140-0x0000025649C50000-0x0000025649C54000-memory.dmp

              Filesize

              16KB

            • memory/3856-141-0x0000025649C80000-0x0000025649C84000-memory.dmp

              Filesize

              16KB

            • memory/3856-142-0x0000025649960000-0x0000025649961000-memory.dmp

              Filesize

              4KB

            • memory/3856-143-0x0000025649D80000-0x0000025649D84000-memory.dmp

              Filesize

              16KB

            • memory/3856-144-0x0000025649D80000-0x0000025649D84000-memory.dmp

              Filesize

              16KB

            • memory/3856-145-0x0000025649DB0000-0x0000025649DB4000-memory.dmp

              Filesize

              16KB