Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2022 12:40

General

  • Target

    f9d778ad3bfea174401f36a2d88851d8.dll

  • Size

    378KB

  • MD5

    f9d778ad3bfea174401f36a2d88851d8

  • SHA1

    fd2b30e2f029939c31c759d9fbdd5ee5242137c0

  • SHA256

    44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5

  • SHA512

    046ee69e01fc2e64b3cf75ccfa9a0886ef4e6752f9d90e199c67b8cc9cfdf767d8235b3a638fc96782cea0ff1b278f8d36a2ea25c9a5a839c0c03d199de5175a

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

79.110.52.8

79.110.52.80

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
      2⤵
        PID:1968

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1956-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

      Filesize

      8KB

    • memory/1968-55-0x0000000000000000-mapping.dmp

    • memory/1968-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

      Filesize

      8KB

    • memory/1968-57-0x0000000010000000-0x000000001000E000-memory.dmp

      Filesize

      56KB

    • memory/1968-62-0x00000000002B0000-0x00000000002BD000-memory.dmp

      Filesize

      52KB