Overview

overview

10

Static

static

ewgr.png.dll

windows7_x64

10

ewgr.png.dll

windows10_x64

10

Resubmissions

03-11-2021 15:58

211103-tevassebf4 10

02-11-2021 04:23

211102-ez9hwsbfd6 10

02-03-2021 13:16

210302-qalv52kwwj 10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    02-03-2021 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ewgr.png.dll

  • Size

    646KB

  • MD5

    cf24c392a94a9bd8f381f0de2926a4f2

  • SHA1

    bf5ba2b5f9062b1a99797b593e378a1e59faa142

  • SHA256

    b4f98cb2d21258819d8678c29486a2e7854d576efc28b58d930551ca5aa24f20

  • SHA512

    ef2707615abb03cdda353d1ed081814fd77b0af78315d410736bb5e989d42f634c75f876c062254c25ec96e5b7fbb78bf41c7651cbd7d2efa68a49de61848ec0

Score
10/10
gozi_rm3201193209bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

201193209

C2

https://binobin.xyz

Attributes
  • build

    300932

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Blocklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ewgr.png.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ewgr.png.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1488
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:280
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:280 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1924
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1624
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:664
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1576
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:864
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1452 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1988
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:912
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
    MD5

    0cb6aff7f00ffdce23877e0fd80f88d5

    SHA1

    7cb46bde95f4e57c108100dff3786dc9d6169389

    SHA256

    fb6bd4558196dad5d2767534f435159f7ce7d69f8e0bb21d73af02b8778f5ad0

    SHA512

    04bfc5e5430709750613273778c7fc3a5d9eedc618fc60b6db2a55247c3a30609fbb0758f8923e3a84984ecae4903e68ee165f3c8515b8e922b70dceb9f402b2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
    MD5

    cfdfedc6ea8d57569babb32735084c62

    SHA1

    b0df7678119eef907ddfec71ee11f5f754a9bfd2

    SHA256

    364eede4810864606d7608709a939aeb03b54901a0fc19c8bb26d41eb27cae66

    SHA512

    ebdbedc6855aba9dda47a8b717ed489aa683bc99ebdbed85f867b10d5b04553fd91089342186289ea107b65c92d4b6d944bfdfae7d55a997be9aaf61fb3a68a2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    f0efb1e200f773904d651b27577853cc

    SHA1

    2d8ad398e8654008bd5c5d54d1ebaa44515fd6fd

    SHA256

    8ed52727369090dd7e6406859c38efe03aab90756e3cc75474679513c7c03b7b

    SHA512

    4846a242b4a8473fd314e797399b71936fb404404a6687205a6bdeb719cebd52553c62c9c77855fbe01f5112dfd9ae25d1bd7fbbd432c193d5004cc6ea9a8641

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    91d1d1180f38eb40a05a9cf654f21ac9

    SHA1

    8263431bd5fe61a89e499f8ea6cf27a92d88d8b0

    SHA256

    3a1b046439e1c25183129f8a938b39ecd987a0f237a1ade124bf45e4e31c81a6

    SHA512

    356f0559ccfa5f2342af5d2740ff46c0087d72f1d9225f8b167f1fa5e6bea7969f173f2f22be45e2b83c0fcd48a6acf58dd2f4f8721b3a780a84930b5a608d8a

    Download Submit
  • memory/612-8-0x000007FEF6080000-0x000007FEF62FA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/664-17-0x0000000000000000-mapping.dmp
    Download
  • memory/740-31-0x0000000000000000-mapping.dmp
    Download
  • memory/864-24-0x0000000000000000-mapping.dmp
    Download
  • memory/912-28-0x0000000000000000-mapping.dmp
    Download
  • memory/1436-10-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1436-11-0x0000000000560000-0x0000000000570000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1488-7-0x00000000001D0000-0x00000000001E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1488-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1488-6-0x0000000000170000-0x000000000017E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1488-5-0x00000000002E0000-0x00000000002F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1488-4-0x0000000000120000-0x0000000000121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1488-3-0x0000000075781000-0x0000000075783000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1576-22-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-9-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-25-0x0000000000000000-mapping.dmp
    Download