gozi_rm3 | f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

Resubmissions

05-02-2021 13:55

05-02-2021 13:42

Target

32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll
Size

539KB
MD5

d31c0491f522d6b9f2102109bd2420af
SHA1

dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
SHA256

f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
SHA512

48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd

Score

10^/10

Family

gozi_rm3

Botnet

201193207

https://topitophug.xyz

Attributes

rsa_pubkey.base64

serpent.plain

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3700 4776 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3700	4776	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3700 WerFault.exe
Token: SeBackupPrivilege 3700 WerFault.exe
Token: SeDebugPrivilege 3700 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4760 wrote to memory of 4776	4760	rundll32.exe	rundll32.exe
PID 4760 wrote to memory of 4776	4760	rundll32.exe	rundll32.exe
PID 4760 wrote to memory of 4776	4760	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#1
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 724
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3700

memory/3700-5-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/4776-2-0x0000000000000000-mapping.dmp

Download
memory/4776-3-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/4776-4-0x0000000006680000-0x0000000006692000-memory.dmp

Filesize
72KB

Download
memory/4776-6-0x0000000004CA0000-0x0000000004CAE000-memory.dmp

Filesize
56KB

Download
memory/4776-7-0x00000000065B0000-0x00000000065C0000-memory.dmp

Filesize
64KB

Download