Overview

overview

10

Static

static

ioir.png.dll

windows7_x64

10

ioir.png.dll

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-02-2021 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ioir.png.dll

  • Size

    539KB

  • MD5

    d31c0491f522d6b9f2102109bd2420af

  • SHA1

    dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708

  • SHA256

    f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

  • SHA512

    48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd

Score
10/10
gozi_rm3201193207bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

201193207

C2

https://topitophug.xyz

Attributes
  • build

    300932

  • exe_type

    loader

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Blocklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ioir.png.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ioir.png.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1916
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:972
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\61F95D72644321B3AD7A1D512B8D6E8B
    MD5

    9bc7c66842ce55fb615785434a1e4ae2

    SHA1

    0841bba8f45cc927201dab1668d7de43c808f3a8

    SHA256

    cdf81a744d87fcc80a9593edceb9103d9eb19ee8023da16b26c17844ffa88eaa

    SHA512

    e85136f1da80428111ce2f626f6e90dff88d11f2de62f461d292104f2807b08ae2c625397d6c889544566c15cd772e1ed45b2fa18d89489140d59b6bb7fc9eba

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
    MD5

    0cb6aff7f00ffdce23877e0fd80f88d5

    SHA1

    7cb46bde95f4e57c108100dff3786dc9d6169389

    SHA256

    fb6bd4558196dad5d2767534f435159f7ce7d69f8e0bb21d73af02b8778f5ad0

    SHA512

    04bfc5e5430709750613273778c7fc3a5d9eedc618fc60b6db2a55247c3a30609fbb0758f8923e3a84984ecae4903e68ee165f3c8515b8e922b70dceb9f402b2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\61F95D72644321B3AD7A1D512B8D6E8B
    MD5

    82ba4e1c91dae0caf0cf8aef6421befd

    SHA1

    9fd3d2ca7a3baaec8ea594959113032d746218ae

    SHA256

    760ddd4eed786e3810e01a5f0f523e2e4f46f548d81e8dd0582e40909a7e1e95

    SHA512

    c9b5747ee435b4ebf97eabbe857e266673f9b6c841b22874f2ce8c4631b849b6ffafc4f4d34a4aae6e153c51fef97db9da9504bc4573aa6e6b40d74489fe6066

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
    MD5

    c1e8a97908c354f844c2c6d8f8e576a4

    SHA1

    87891109d7a3f9128d8709a5c2d1f2752c0d7458

    SHA256

    1bfb8434f81748eb1cc342547d69421a276e6c65c547cf903c932dbdc660fe22

    SHA512

    9f86739f378f1c1bb93d150c8a53eb3859a162d285086072e029a5ccb532c93c40855ac84977746bb37707a6a967ba9346137cedf7c511c232ba323e61a06a78

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    90dd44622f638999528a71a22633e5b3

    SHA1

    29beadb2e36a3174279428e9a130ed1676c43f4a

    SHA256

    7c6e4a7cc4d3718a04217c5b620a53f513f089b71c613d726dba437b8b45fe7e

    SHA512

    10d64ec299809b53630cea8c685ceb42e4190a16b3ce2d915fd404a1cd34be0d6234e422eb1d0ee2deb33e755826c6d7c0bf1a77b15117882ca14d3b9440c01d

    Download Submit
  • memory/856-9-0x000007FEF7500000-0x000007FEF777A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/972-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1460-8-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1828-11-0x0000000000000000-mapping.dmp
    Download
  • memory/1916-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1916-7-0x0000000000270000-0x0000000000280000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1916-6-0x0000000000290000-0x00000000002A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1916-4-0x00000000001C0000-0x00000000001C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1916-5-0x0000000000250000-0x000000000025E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1916-3-0x0000000075301000-0x0000000075303000-memory.dmp
    Filesize

    8KB

    Download