Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 05:29
Static task
static1
Behavioral task
behavioral1
Sample
8390c9aff9b8f652c36252270d51fb30.dll
Resource
win7-20231215-en
2 signatures
150 seconds
General
-
Target
8390c9aff9b8f652c36252270d51fb30.dll
-
Size
529KB
-
MD5
8390c9aff9b8f652c36252270d51fb30
-
SHA1
919ce33025c1901a2088b77c8543eb729fccf17a
-
SHA256
f41d351cba690cf05e4b5e5597b71697eb2e9125b656927aaf93edba25fbc8cd
-
SHA512
c1d5326f0a40d673aa1647842915d6eab70a34383238387bc2b7b4027d38d6d07676b71ff0a7e3d71d884c080f315714792459aaf49f90c3970404f032fe1a19
-
SSDEEP
12288:ntCE7dSeqW+MNurWAFKlJejMSH6nimDC2t:bdSeSvrWAFK7ejNa/e0
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
1500
C2
f1.bablefiler.at
f22.avanoruk.com
Attributes
-
build
250211
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 624 wrote to memory of 3004 624 rundll32.exe rundll32.exe PID 624 wrote to memory of 3004 624 rundll32.exe rundll32.exe PID 624 wrote to memory of 3004 624 rundll32.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8390c9aff9b8f652c36252270d51fb30.dll,#11⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8390c9aff9b8f652c36252270d51fb30.dll,#11⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3004-3-0x0000000001560000-0x0000000001561000-memory.dmpFilesize
4KB
-
memory/3004-2-0x0000000075310000-0x00000000753AA000-memory.dmpFilesize
616KB
-
memory/3004-1-0x0000000075310000-0x00000000753AA000-memory.dmpFilesize
616KB
-
memory/3004-0-0x0000000075310000-0x00000000753AA000-memory.dmpFilesize
616KB
-
memory/3004-4-0x0000000002CB0000-0x0000000002CBD000-memory.dmpFilesize
52KB
-
memory/3004-7-0x0000000075310000-0x00000000753AA000-memory.dmpFilesize
616KB