Analysis
-
max time kernel
36s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14/06/2022, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
04447a2725f293f8a9746b0db58fa832.dll
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
04447a2725f293f8a9746b0db58fa832.dll
-
Size
436KB
-
MD5
04447a2725f293f8a9746b0db58fa832
-
SHA1
caf87c9fa89e4f6039a3c296bbcd7ffce4cdf829
-
SHA256
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
-
SHA512
2ecccfda9267faa7ac30307d455601fa79711e4163a71770807b70e2228e6b5ce335d46a7b3eb0810f0b0f0e404eaa27dc2bbabc3334fb654352b3c39a661e06
Malware Config
Extracted
Family
gozi_ifsb
Botnet
3000
C2
config.edge.skype.com
194.76.226.15
109.230.199.114
Attributes
-
base_path
/drew/
-
build
250235
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 848 wrote to memory of 1796 848 rundll32.exe 26 PID 848 wrote to memory of 1796 848 rundll32.exe 26 PID 848 wrote to memory of 1796 848 rundll32.exe 26 PID 848 wrote to memory of 1796 848 rundll32.exe 26 PID 848 wrote to memory of 1796 848 rundll32.exe 26 PID 848 wrote to memory of 1796 848 rundll32.exe 26 PID 848 wrote to memory of 1796 848 rundll32.exe 26
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04447a2725f293f8a9746b0db58fa832.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04447a2725f293f8a9746b0db58fa832.dll,#12⤵PID:1796
-