grandoreiro | 49cfe94da4521577cbf2daac1ca01bc05cbaf29ff0cd3f978a2658294b11e599

Resubmissions

06/04/2023, 23:01

13/03/2023, 10:25

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/04/2023, 23:01

Target

ba0f7d3caed95ad38d801667520ea0beed0744d8aca7d3cf896a5239dc983d03.dll
Size

289.8MB
MD5

0887e398eceda40064ee01f6cc6e9424
SHA1

45869d15d9624dadaa9352ef5191a870d1a413de
SHA256

ba0f7d3caed95ad38d801667520ea0beed0744d8aca7d3cf896a5239dc983d03
SHA512

0d8fcfe7ea1d480f11a25ce21969f520d15e306ea85acdbd2e01a692659d63368b2d005fa0ee19c1ae31173f4a2c61ead13718021c38580ec14c429acce0473f
SSDEEP

196608:TQO9U+pMkEO6Tr5NUR4ureIXH5yJ7nxkYuQPP3r7DbGF/UALgV:T/sO6Tr5NUR4ureIXYjTuQPPy/UQ

Score

10^/10

Detects Grandoreiro payload 2 IoCs

resource	yara_rule
behavioral1/memory/2040-54-0x00000000023F0000-0x00000000033F0000-memory.dmp	family_grandoreiro_v1
behavioral1/memory/2040-60-0x00000000023F0000-0x00000000033F0000-memory.dmp	family_grandoreiro_v1

Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
trojan banker grandoreiro

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2040	1728	regsvr32.exe	27
PID 1728 wrote to memory of 2040	1728	regsvr32.exe	27
PID 1728 wrote to memory of 2040	1728	regsvr32.exe	27
PID 1728 wrote to memory of 2040	1728	regsvr32.exe	27
PID 1728 wrote to memory of 2040	1728	regsvr32.exe	27
PID 1728 wrote to memory of 2040	1728	regsvr32.exe	27
PID 1728 wrote to memory of 2040	1728	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ba0f7d3caed95ad38d801667520ea0beed0744d8aca7d3cf896a5239dc983d03.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ba0f7d3caed95ad38d801667520ea0beed0744d8aca7d3cf896a5239dc983d03.dll
  2⤵
  PID:2040

memory/2040-54-0x00000000023F0000-0x00000000033F0000-memory.dmp

Filesize
16.0MB

Download
memory/2040-55-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2040-58-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2040-59-0x0000000014810000-0x0000000014811000-memory.dmp

Filesize
4KB

Download
memory/2040-60-0x00000000023F0000-0x00000000033F0000-memory.dmp

Filesize
16.0MB

Download