gozi_rm3 | f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

Analysis

max time kernel
126s
max time network
128s
platform
windows7_x64
resource
win7v20201028
submitted
05-02-2021 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ioir.png.dll
Size

539KB
MD5

d31c0491f522d6b9f2102109bd2420af
SHA1

dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
SHA256

f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
SHA512

48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd

Score

10^/10

gozi_rm3 201193207 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

201193207

https://topitophug.xyz

Attributes

build
300932
exe_type
loader

rsa_pubkey.base64

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	1916	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e7c32f603594754399685aba64b76bd100000000020000000000106600000001000020000000e3e95b816d9a2b51cf9f4e13b4ce5da85eeef17c2138d027fbe2a4edd58b0827000000000e8000000002000020000000eb36aae7308cf26fabc548a6a78273e094a178800ffa3bf55032106a61537ceb90000000c52bdf197b2ee404becd005f5cf4e8d1674a5303c8dba29c6e953910d12ac04213085f4d2b11163a6ac36494663013e129f99e08f1cc58b978e462b1077f723db7162ec550c3647cf50816f7eedff63e3b02f922f26fd4d3486374ef5ac96c0f3287ea1a946f18470d51684541c91fb80028fb9e51dbfa5d46d5ae14d7e165a82ff1d1e93199aeb30b3de58ce6326dc04000000006dbc4a6625d9018d2e0a5cb26b2563c7f53d3d9d16b60d971a18cbd07a7ee4a70a1e99740a4c60104303d96e7ce0c1c17e6b793ca41907806b9c79c36ac6647	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e7c32f603594754399685aba64b76bd10000000002000000000010660000000100002000000049726499e25fde7cd09a2434fc8c2dac7035584c3385bb47de6ec5675d0e8f4c000000000e800000000200002000000057ecb56f9c7c4ec10aed3f8de7eef26cfa93c3dfee0a71667255973613d0957f20000000716fe87d071d492bd100cda6cb39843971e1224dd9d6535a38ac332a1dbd4704400000003399dce9743d500c409e72da9aed90762c65d51ed67a716b6820d8e330aec180cb2ea3b1fe40bd9039f6912b8d3a240898340b766df3fa80277046b1e70cffe5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE1500B1-67C3-11EB-885E-DA18B1AB4242} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e8b797d0fbd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3AD7631-67C3-11EB-885E-DA18B1AB4242} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1460	iexplore.exe
1976	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1460	iexplore.exe
1460	iexplore.exe
972	IEXPLORE.EXE
972	IEXPLORE.EXE
1976	iexplore.exe
1976	iexplore.exe
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1916	1096	rundll32.exe	25
PID 1096 wrote to memory of 1916	1096	rundll32.exe	25
PID 1096 wrote to memory of 1916	1096	rundll32.exe	25
PID 1096 wrote to memory of 1916	1096	rundll32.exe	25
PID 1096 wrote to memory of 1916	1096	rundll32.exe	25
PID 1096 wrote to memory of 1916	1096	rundll32.exe	25
PID 1096 wrote to memory of 1916	1096	rundll32.exe	25
PID 1460 wrote to memory of 972	1460	iexplore.exe	35
PID 1460 wrote to memory of 972	1460	iexplore.exe	35
PID 1460 wrote to memory of 972	1460	iexplore.exe	35
PID 1460 wrote to memory of 972	1460	iexplore.exe	35
PID 1976 wrote to memory of 1828	1976	iexplore.exe	38
PID 1976 wrote to memory of 1828	1976	iexplore.exe	38
PID 1976 wrote to memory of 1828	1976	iexplore.exe	38
PID 1976 wrote to memory of 1828	1976	iexplore.exe	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ioir.png.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ioir.png.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-9-0x000007FEF7500000-0x000007FEF777A000-memory.dmp

Filesize
2.5MB

Download
memory/1460-8-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmp

Filesize
8KB

Download
memory/1916-7-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1916-6-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/1916-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1916-5-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1916-3-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download