grandoreiro | d09a9e5ccce56752e0576e3f43b7fe4d401c577399853ffa34b4cf765b10f15e | Triage

Resubmissions

06/04/2023, 23:03

230406-21qthafe84 10

13/03/2023, 11:50

230313-nzsd2scc6y 1

13/04/2022, 02:53

220413-ddal1adhf9 1

Analysis

max time kernel
98s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2023, 23:03

Sharing

Report Analysis Logs

General

Target

dbghelp.dll
Size

242.9MB
MD5

31b00fe35cd795058e11e1bc2d8de272
SHA1

e25ebd7ea19dfc1948ac5e50e6166aa73bda5dca
SHA256

b253368444aba74db84589b6af2a5a0971a11c4129b220203870a4f5a82cd6fd
SHA512

ed213e2f0e8e40f2d828c9458fe6b50b4c44ecc0487bc924244b6957115e83737286ff7d082ab89ac11279f4075076b9f65d5d1841a07c0bcae337dd6310f443
SSDEEP

49152:BSjIuHVecUiBfG/aQimk8eGtsLwBnaUSLjV+Xa1TkT:B8HVecUitCk8ZtFqLjx

Score

10^/10

grandoreiro banker trojan

Malware Config

Signatures

Detects Grandoreiro payload 1 IoCs

resource	yara_rule
behavioral2/memory/4276-133-0x0000000002C40000-0x0000000003C40000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4276	4708	regsvr32.exe	83
PID 4708 wrote to memory of 4276	4708	regsvr32.exe	83
PID 4708 wrote to memory of 4276	4708	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dbghelp.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\dbghelp.dll
  2⤵
  PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4276 -ip 4276
1⤵
PID:2108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4276-133-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download