Analysis
-
max time kernel
70s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 06:45
General
-
Target
66c4fb72090d8f58cea15e6d8b599fec39c7916cc6ef03f925e796fa881116c4.dll
-
Size
317KB
-
MD5
0030aea7ff8e0e007c16082c382d4c9a
-
SHA1
7f827101895e4b2bd1f173827277827d0162433b
-
SHA256
66c4fb72090d8f58cea15e6d8b599fec39c7916cc6ef03f925e796fa881116c4
-
SHA512
27200affc530722b1177a686f4a15f59e5e430f2563f27ded2a0ccb60fa1fd7c68c8c16ed49184a376fe6d55ebaff4dff6aa1b9fd720e873deae16e8232932d5
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Attributes
-
build
217107
Extracted
Family
gozi_ifsb
Botnet
1111
C2
http://securemrc.ru
http://securecc.ru
http://roiboypo.ru
Attributes
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66c4fb72090d8f58cea15e6d8b599fec39c7916cc6ef03f925e796fa881116c4.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66c4fb72090d8f58cea15e6d8b599fec39c7916cc6ef03f925e796fa881116c4.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1376-54-0x0000000000000000-mapping.dmp
-
memory/1376-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1376-56-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB
-
memory/1376-57-0x0000000010000000-0x0000000010958000-memory.dmpFilesize
9.3MB
-
memory/1376-58-0x00000000001F0000-0x00000000001FF000-memory.dmpFilesize
60KB
-
memory/1376-64-0x0000000010000000-0x0000000010958000-memory.dmpFilesize
9.3MB