Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
13/06/2022, 10:16
Static task
static1
Behavioral task
behavioral1
Sample
x610E.tmp.dll
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
x610E.tmp.dll
-
Size
480KB
-
MD5
fe2e50e674aceba23daa6c4e1501512e
-
SHA1
ecb3a334493b82335040ea3196ed053682bcaea3
-
SHA256
dd44995c4e6440c80669b0b16a53c2956b0675c9bb015a9e8037d8f487e604cf
-
SHA512
5090370c34eeb972d8d9a8e9883c6fdb6f78f4ca6bc1378a5456c1c6598ca8a44d6fff07529eeb0854814a72194f4d32bb25232e2633cc79137eae33be35e442
Malware Config
Extracted
Family
gozi_ifsb
Botnet
7634
C2
factorlink.top
factorline.top
mediumline.co
Attributes
-
base_path
/drew/
-
build
250229
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Blocklisted process makes network request 3 IoCs
flow pid Process 11 4340 rundll32.exe 36 4340 rundll32.exe 37 4340 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1092 wrote to memory of 4340 1092 rundll32.exe 81 PID 1092 wrote to memory of 4340 1092 rundll32.exe 81 PID 1092 wrote to memory of 4340 1092 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\x610E.tmp.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\x610E.tmp.dll,#12⤵
- Blocklisted process makes network request
PID:4340
-