Analysis
-
max time kernel
143s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
20-10-2022 22:24
General
-
Target
ursnif_IAT_corrected.exe.dll
-
Size
56KB
-
MD5
8b52c277c63c5877c0e4ca32d1458957
-
SHA1
1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
-
SHA256
8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
-
SHA512
9f7022155d4764e625fe1a6b5377eed4b2e7620a9bd03c7f5474112de30bb60b7898c5e9a325035544d01c3621bff103f6b857373d146c1f622772e1abbf1b99
-
SSDEEP
768:A2KGmsx3R69vSvjyRpq63goMWPXE2bE/JVMq2LATqeeAeOu2D2wqmLiu6:wGBx3R6iApqlaPGhVMq2LpeReOb2Pmp
Score
10/10
Malware Config
Extracted
Family
gozi_ifsb
Botnet
5000
C2
config.edge.skype.com
onlinetwork.top
linetwork.top
Attributes
-
base_path
/drew/
-
build
250246
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ursnif_IAT_corrected.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ursnif_IAT_corrected.exe.dll2⤵
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
52KB