Analysis
-
max time kernel
87s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
03-08-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
8fcfb8f38d8607c57f08f9b39139065f.dll
Resource
win7-20220715-en
2 signatures
150 seconds
General
-
Target
8fcfb8f38d8607c57f08f9b39139065f.dll
-
Size
300KB
-
MD5
8fcfb8f38d8607c57f08f9b39139065f
-
SHA1
805bb719009145dcc32b5361abf5bb4d91015dbb
-
SHA256
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
-
SHA512
6d02b5338e387185520c45a45434bf5e949fdfd66d484459c3e817b76fbfc50621d0fbd5e4e5f3618f02ea257b8d73a53637b7bc791cc40300e837e2de72007f
Malware Config
Extracted
Family
gozi_ifsb
Botnet
3000
C2
config.edge.skype.com
37.120.206.71
37.120.206.84
193.106.191.163
Attributes
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe PID 1064 wrote to memory of 1660 1064 regsvr32.exe regsvr32.exe