Resubmissions

18-03-2021 22:02

210318-wg14eesjje 10

13-11-2020 10:22

201113-ycmfkdqrdn 10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-03-2021 22:02

General

  • Target

    be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll

  • Size

    136KB

  • MD5

    fe590fd117449bce4bfad57d36bfc099

  • SHA1

    a5c3d7738ebc1f1ce8353e135b8dcea17155077b

  • SHA256

    be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2

  • SHA512

    f8e39f1e83dd666fff67161864c75057a0f6b4ad1692f0013f0aef47d69ed350662f0784555a72fcdb34bb5937371c7d75010639d5ae31c32d7383ee10a6605b

Malware Config

Extracted

Family

gozi_rm3

Botnet

2020109324

C2

https://bonderlas.xyz

Attributes
  • build

    300932

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll,#1
      2⤵
        PID:884
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:544
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1588
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1944
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:464 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1444

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/724-7-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmp

      Filesize

      2.5MB

    • memory/884-6-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

    • memory/884-5-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

    • memory/884-4-0x0000000000170000-0x0000000000182000-memory.dmp

      Filesize

      72KB

    • memory/884-3-0x0000000076451000-0x0000000076453000-memory.dmp

      Filesize

      8KB

    • memory/884-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

      Filesize

      8KB

    • memory/1096-12-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

      Filesize

      8KB