Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 15:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d667b1620c679459b264492bfac2703b.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
General
-
Target
d667b1620c679459b264492bfac2703b.dll
-
Size
551KB
-
MD5
d667b1620c679459b264492bfac2703b
-
SHA1
2eea0c6336defa9de132815607490035e47ea734
-
SHA256
fb3009e2deadbc2d6760489395bafba79aab3a3cfb41be06181d51bfe864d09b
-
SHA512
bac6f9956237df1a1fd2554e1210365ce1521a0cd89601b0228cebcb94c3ef6e454885079fa5f0e9383a63e378fe86490c935b1e99901c9500081f89549f3d4e
-
SSDEEP
12288:4dsRFeVssCM5gMrj/LMMtBV0P6Fm92E89xE6FWkogdBtXcPZMfvG1EqYDWDt42O/:usRIfhAadeFoQqffC
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
1500
C2
f1.bablefiler.at
f22.avanoruk.com
Attributes
-
build
250211
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4876 wrote to memory of 4896 4876 rundll32.exe rundll32.exe PID 4876 wrote to memory of 4896 4876 rundll32.exe rundll32.exe PID 4876 wrote to memory of 4896 4876 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d667b1620c679459b264492bfac2703b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d667b1620c679459b264492bfac2703b.dll,#12⤵PID:4896
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4896-0-0x0000000074BB0000-0x0000000074CD4000-memory.dmpFilesize
1.1MB
-
memory/4896-1-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/4896-2-0x0000000000850000-0x000000000085D000-memory.dmpFilesize
52KB
-
memory/4896-5-0x0000000074BB0000-0x0000000074CD4000-memory.dmpFilesize
1.1MB