Analysis
-
max time kernel
4294183s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
22/03/2022, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
readme.dll
Resource
win7-20220310-en
0 signatures
0 seconds
General
-
Target
readme.dll
-
Size
654KB
-
MD5
5cc6ba143e3c3ad5ba978148d213e1ac
-
SHA1
39d67ee1af666dd307049ac017bde0c75f9d120c
-
SHA256
64eb761e7ec0ccfd080a70bd1c6a34de92a5e9aea591793ae08155a211ad3726
-
SHA512
6742c064f7178be86e1d5e157d987445fbaa259c88043f4179f35d8ecba8d2d17765d9856985dfb6034bde4b0a3dbea1905d3be51587b974206fa6eaf6ddc38a
Malware Config
Extracted
Family
gozi_ifsb
Botnet
7626
C2
buredom.top
linkspremium.ru
premiumlists.ru
Attributes
-
base_path
/drew/
-
build
250225
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1660 1652 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1604 wrote to memory of 1652 1604 rundll32.exe 27 PID 1604 wrote to memory of 1652 1604 rundll32.exe 27 PID 1604 wrote to memory of 1652 1604 rundll32.exe 27 PID 1604 wrote to memory of 1652 1604 rundll32.exe 27 PID 1604 wrote to memory of 1652 1604 rundll32.exe 27 PID 1604 wrote to memory of 1652 1604 rundll32.exe 27 PID 1604 wrote to memory of 1652 1604 rundll32.exe 27 PID 1652 wrote to memory of 1660 1652 rundll32.exe 28 PID 1652 wrote to memory of 1660 1652 rundll32.exe 28 PID 1652 wrote to memory of 1660 1652 rundll32.exe 28 PID 1652 wrote to memory of 1660 1652 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2243⤵
- Program crash
PID:1660
-
-