Overview

overview

10

Static

static

cessentl1.dll

windows7_x64

10

cessentl1.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    25-03-2021 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cessentl1.dll

  • Size

    449KB

  • MD5

    caec766872f0fc3c7e4af0bf1e5cc939

  • SHA1

    dfb603663f5de381eafb617dccf51a2c30f34a4d

  • SHA256

    afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984

  • SHA512

    aa22e020c44220258aabf0950de87846860c4a7bea1a6e9c50f2a7fa6ca537952398b2322acab8a24c75424cabc1466cf00714d884db4f2252bf60b586e0ecf1

Score
10/10
gozi_rm3210301bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

210301

C2

https://gotoregt.space

Attributes
  • build

    300960

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Blocklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cessentl1.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cessentl1.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1240
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1964
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1988
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1528
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1416
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1040
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
    MD5

    50d07e64e3238da3764e519781a4c457

    SHA1

    df7812d8516572253185a1a09440450a7719ec1d

    SHA256

    2d6e623cbde0b5632db298f854119721d4974159da4125481674bfb41c61688e

    SHA512

    7628988e2822282b47c3796238bd87aac5b73e596fa4b5bfa57746890bc2cddc0e0fb445ddc27b1431c029bcd5d1787f64adb7f777583e7d097a8095832ceb48

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
    MD5

    cdc3459d2dcd860b488e76eb35ec619e

    SHA1

    5448338b376fbc5b98ec9ad94e1de74cba99f875

    SHA256

    277e5dc6f7c63e0615e5c7dbf544e23db4512472425a45b65f2a9f340a584f90

    SHA512

    419bbda9b5aa07262ff88b2c348586bb421b3a3bf21d3affc0a087e406883dbf3f99dc50d4436e2ce5747c0ca153d6c4a1fa457890d14d45a1ab2a964914b33a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    6f065cf22f1f02bd924ef3a8dd305cc8

    SHA1

    67798a1a9af4bce8e7f5d047bae1a68c4490e387

    SHA256

    d7aa97f71c39a01720fa3fce997240f2634ed400a9bd113ab693b2c258bbd31e

    SHA512

    36e0bca67f447852230c64023ad448f48a52ec60a9e31f11d0cbdf60d81648eadd056383201f53ecc5bef46c750ce30eb8087906b7e7df4a67d36fc933868e72

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    1b1707f6913dc6937f1ebb16517552f0

    SHA1

    487e82b6fbfc5837fdfb0028680aed7dc26f40b3

    SHA256

    7b5f9e197f4863c13fc734079d1028a835a859eb74ba210ac932ae583c6795d7

    SHA512

    1cc8a4f2365407b2fc520bc93ced38c7b6f135b077ac9f4b230e9f4314532169bcaef743044dc7b499944f5e79efa9c960c0dcd18440c3f55049dbaa8da441a3

    Download Submit
  • memory/1036-23-0x0000000000000000-mapping.dmp
    Download
  • memory/1040-22-0x0000000000000000-mapping.dmp
    Download
  • memory/1240-6-0x0000000000160000-0x0000000000161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1240-9-0x00000000001B0000-0x00000000001B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1240-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1240-5-0x0000000000170000-0x0000000000183000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1240-4-0x0000000075030000-0x000000007503F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1240-3-0x0000000076691000-0x0000000076693000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1320-10-0x000007FEFC271000-0x000007FEFC273000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1416-20-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-16-0x0000000000000000-mapping.dmp
    Download
  • memory/1652-7-0x000007FEF7D20000-0x000007FEF7F9A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1964-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-11-0x0000000000000000-mapping.dmp
    Download