Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
03-08-2022 09:30
Static task
static1
Behavioral task
behavioral1
Sample
62ea3f935563b.dll
Resource
win7-20220715-en
2 signatures
150 seconds
General
-
Target
62ea3f935563b.dll
-
Size
300KB
-
MD5
614e312af0e5de7c6b9819e3a1c766d4
-
SHA1
01e384618d8eadb244184e66e6450752ea0ceade
-
SHA256
982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
-
SHA512
362b32fbc61baf1c757f72d61e582e2741553eda4de022311757a0732a23edabafbcd6affdab97c49d5e1378587b16f1d6730fd9446c801d791056896414d302
Malware Config
Extracted
Family
gozi_ifsb
Botnet
3000
C2
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
Attributes
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe