Analysis
-
max time kernel
4294183s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
21/03/2022, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
41025bfa31bf8234f7029fdb03a5f9cacfc6991452cfa645b76f0440b20ae91f.dll
Resource
win7-20220310-en
0 signatures
0 seconds
General
-
Target
41025bfa31bf8234f7029fdb03a5f9cacfc6991452cfa645b76f0440b20ae91f.dll
-
Size
35.9MB
-
MD5
6f7e051c916e7a39da695fc2a859ffab
-
SHA1
e1cc5a152936adc65465c37013af52e37db1c3fb
-
SHA256
41025bfa31bf8234f7029fdb03a5f9cacfc6991452cfa645b76f0440b20ae91f
-
SHA512
f4da5ca41b9e7bd9f691d044f34b2df1ef2001438d61d211712e99748b467ddc2fc168abbf6741545c1103bb2f5ba971dc69ae004b6d35f0487044a7d181bea4
Malware Config
Extracted
Family
gozi_ifsb
Botnet
7616
C2
loginsline.top
loginslink.top
linkspremium.ru
premiumlists.ru
Attributes
-
base_path
/drew/
-
build
250225
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1592 wrote to memory of 1816 1592 regsvr32.exe 29 PID 1592 wrote to memory of 1816 1592 regsvr32.exe 29 PID 1592 wrote to memory of 1816 1592 regsvr32.exe 29 PID 1592 wrote to memory of 1816 1592 regsvr32.exe 29 PID 1592 wrote to memory of 1816 1592 regsvr32.exe 29 PID 1592 wrote to memory of 1816 1592 regsvr32.exe 29 PID 1592 wrote to memory of 1816 1592 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\41025bfa31bf8234f7029fdb03a5f9cacfc6991452cfa645b76f0440b20ae91f.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\41025bfa31bf8234f7029fdb03a5f9cacfc6991452cfa645b76f0440b20ae91f.dll2⤵PID:1816
-