Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2023 19:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396.dll
Resource
win7-20230712-en
windows7-x64
2 signatures
150 seconds
General
-
Target
d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396.dll
-
Size
602KB
-
MD5
f5229d20ad515e77c585134fcdfd8ca1
-
SHA1
b6741980071eeadd5a998d75ae890a1527153918
-
SHA256
d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396
-
SHA512
6a54765346de383c6b4927cacdcf74d3d22a49ed9f7dc83c4c58d8c655827ab2866bea9f47ae16377a970e5d70c641d26effe877f381ee4662b65f47f246bc63
-
SSDEEP
12288:/RI34sEF5wcH9seTP1GQn1WHhu67jd23ctEjBx/2g99:/RWu/wcH9seTdJn6VQcSj//199
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
3000
C2
config.edge.skype.com
superstarts.top
superlist.top
internetcoca.in
193.106.191.163
Attributes
-
base_path
/drew/
-
build
250240
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3720 wrote to memory of 708 3720 regsvr32.exe regsvr32.exe PID 3720 wrote to memory of 708 3720 regsvr32.exe regsvr32.exe PID 3720 wrote to memory of 708 3720 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\d3d24cfc0f5d15b4f6160e539f45a7786fce3be249d56811e9b7f0368967e396.dll2⤵