Analysis
-
max time kernel
122s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
23/03/2022, 11:22
Static task
static1
Behavioral task
behavioral1
Sample
61ee6edf7de65.dll
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
61ee6edf7de65.dll
-
Size
95KB
-
MD5
b6f0fc5638a110abac1a54805f77e786
-
SHA1
f7eff5f67b1b794759ec0ba9b0d6a3bd5cd59bfe
-
SHA256
06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
-
SHA512
b92f671821476bb041bd96a38b1ff300365d12d2fb6bec6266cfbd0f7613a3551807ddc3887ebee13911843322c3274af2a65ca1c38291b45506b433cccd15a8
Malware Config
Extracted
Family
gozi_ifsb
Botnet
20000
C2
giporedtrip.at
habpfans.at
Attributes
-
base_path
/drew/
-
build
260224
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Blocklisted process makes network request 3 IoCs
flow pid Process 26 1980 rundll32.exe 32 1980 rundll32.exe 33 1980 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1980 1684 rundll32.exe 38 PID 1684 wrote to memory of 1980 1684 rundll32.exe 38 PID 1684 wrote to memory of 1980 1684 rundll32.exe 38
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#12⤵
- Blocklisted process makes network request
PID:1980
-