Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
22/03/2022, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
readme.dll
Resource
win7-20220310-en
0 signatures
0 seconds
General
-
Target
readme.dll
-
Size
654KB
-
MD5
5cc6ba143e3c3ad5ba978148d213e1ac
-
SHA1
39d67ee1af666dd307049ac017bde0c75f9d120c
-
SHA256
64eb761e7ec0ccfd080a70bd1c6a34de92a5e9aea591793ae08155a211ad3726
-
SHA512
6742c064f7178be86e1d5e157d987445fbaa259c88043f4179f35d8ecba8d2d17765d9856985dfb6034bde4b0a3dbea1905d3be51587b974206fa6eaf6ddc38a
Malware Config
Extracted
Family
gozi_ifsb
Botnet
7626
C2
buredom.top
linkspremium.ru
premiumlists.ru
Attributes
-
base_path
/drew/
-
build
250225
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2324 4788 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4788 3836 rundll32.exe 83 PID 3836 wrote to memory of 4788 3836 rundll32.exe 83 PID 3836 wrote to memory of 4788 3836 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#12⤵PID:4788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 6043⤵
- Program crash
PID:2324
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4788 -ip 47881⤵PID:4040