Overview

overview

10

Static

static

9

631aa78823...b6.exe

windows7_x64

10

631aa78823...b6.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-04-2021 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6.exe

  • Size

    271KB

  • MD5

    18d22f87d6d2b149796ab187afe9efe9

  • SHA1

    08ce312f4f0d94948271f7557ff9b6579631862b

  • SHA256

    631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6

  • SHA512

    b8a45829cc2db4959779ecf4fd5d188d7fbabf5270b998e1107e443cab73ab8314fc070b6c183cac630128f1cf1f914e33731bc3fb54136c22e0998ded4195d9

Score
10/10
gozi_rm3202004081bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

202004081

C2

https://triomigratio.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6.exe
    "C:\Users\Admin\AppData\Local\Temp\631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6.exe"
    1⤵
      PID:1144
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3652 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:684
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3652 CREDAT:82947 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2416
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3720
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3776
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3956
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3836
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2792

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/684-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1144-2-0x0000000002190000-0x00000000021A1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1144-4-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1144-3-0x00000000001D0000-0x00000000001DC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2416-6-0x0000000000000000-mapping.dmp
      Download
    • memory/2792-11-0x0000000000000000-mapping.dmp
      Download
    • memory/3720-7-0x0000000000000000-mapping.dmp
      Download
    • memory/3776-8-0x0000000000000000-mapping.dmp
      Download
    • memory/3836-10-0x0000000000000000-mapping.dmp
      Download
    • memory/3956-9-0x0000000000000000-mapping.dmp
      Download