Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
09-08-2022 12:13
Static task
static1
Behavioral task
behavioral1
Sample
62f24e6f4c4c7.dll
Resource
win7-20220718-en
2 signatures
150 seconds
General
-
Target
62f24e6f4c4c7.dll
-
Size
607KB
-
MD5
62cdd734fdd2d50b1f36f16dac017061
-
SHA1
bacbec8f116f3e5274693cf7ba6de5c83fb3d9a8
-
SHA256
e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
-
SHA512
2e11dd12f87781d226824de7286237d94d3ba5e77b2c189d5a3e6418d55a4c9689e8890e2734f6476b0893253a6993dc3aca261fd11bd7d2e05760e138daa467
Malware Config
Extracted
Family
gozi_ifsb
Botnet
3000
C2
config.edge.skype.com
79.110.52.8
79.110.52.80
193.106.191.163
Attributes
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 484 wrote to memory of 1948 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1948 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1948 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1948 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1948 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1948 484 regsvr32.exe regsvr32.exe PID 484 wrote to memory of 1948 484 regsvr32.exe regsvr32.exe