gozi_rm3 | f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

Resubmissions

05-02-2021 13:55

210205-lmm8e3abda 10

05-02-2021 13:42

210205-serhwbtcf2 10

Analysis

max time kernel
445s
max time network
376s
platform
windows10_x64
resource
win10v20201028
submitted
05-02-2021 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll
Size

539KB
MD5

d31c0491f522d6b9f2102109bd2420af
SHA1

dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
SHA256

f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
SHA512

48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd

Score

10^/10

gozi_rm3 201193207 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

201193207

https://topitophug.xyz

Attributes

build
300932
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.base64

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3700 4776 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3700	4776	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3700 WerFault.exe
Token: SeBackupPrivilege 3700 WerFault.exe
Token: SeDebugPrivilege 3700 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3700	WerFault.exe
Token: SeBackupPrivilege	3700	WerFault.exe
Token: SeDebugPrivilege	3700	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4760 wrote to memory of 4776	4760	rundll32.exe	rundll32.exe
PID 4760 wrote to memory of 4776	4760	rundll32.exe	rundll32.exe
PID 4760 wrote to memory of 4776	4760	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#1
2⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 724
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3700-5-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/4776-2-0x0000000000000000-mapping.dmp

Download
memory/4776-3-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/4776-4-0x0000000006680000-0x0000000006692000-memory.dmp

Filesize
72KB

Download
memory/4776-6-0x0000000004CA0000-0x0000000004CAE000-memory.dmp

Filesize
56KB

Download
memory/4776-7-0x00000000065B0000-0x00000000065C0000-memory.dmp

Filesize
64KB

Download