Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 15:28
Static task
static1
Behavioral task
behavioral1
Sample
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86.dll
Resource
win7-20230220-en
General
-
Target
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86.dll
-
Size
511KB
-
MD5
dbe0888d7edb236b38d0dcfd33dd0a06
-
SHA1
f53a59741ddc982af5b77bd77ab99f74e9b33948
-
SHA256
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
-
SHA512
b893e59fb0cf5db3ae076798849e467b239c7be30917cff40b5df6d5f9feadb50e90ba728ea9955f628c27e519c407f5b7c4b12eba002064387846e7662e2473
-
SSDEEP
6144:yTZBx+7jsPTl/N80J849j3si2Hw2Kfl0OA5P1rh/YwOnhu58jT7FWQ+ICBFQ5jyy:YZP+7jsZS0r59Qw3RxjkeP
Malware Config
Extracted
gozi
Extracted
gozi
3000
config.edge.skype.com
89.41.26.99
89.45.4.102
interstarts.top
superlist.top
internetcoca.in
-
base_path
/drew/
-
build
250246
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2472 wrote to memory of 4116 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 4116 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 4116 2472 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86.dll2⤵