Resubmissions

19-04-2021 09:51

210419-vsfnbxzjyn 10

General

  • Target

    selected-jobs.xls

  • Size

    1.9MB

  • Sample

    210419-vsfnbxzjyn

  • MD5

    4ab1efff60052e63eaace56a29413b62

  • SHA1

    6e574a62a5ca46e5e2a8c3861feb3a4ef0b6e866

  • SHA256

    eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605

  • SHA512

    a699e34d720e70e1168e83ffcfbb5d1743bb9bbae34658fbb921d93186e49032eb0eb8fa8b7be28d6b57e9c4338c05f21036bdaac81f67bcea03ddb68c3a9055

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://shemagh.pk/otp.txt

Extracted

Family

gozi_rm3

Botnet

210306

C2

https://getroad.xyz

Attributes
  • build

    300960

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      selected-jobs.xls

    • Size

      1.9MB

    • MD5

      4ab1efff60052e63eaace56a29413b62

    • SHA1

      6e574a62a5ca46e5e2a8c3861feb3a4ef0b6e866

    • SHA256

      eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605

    • SHA512

      a699e34d720e70e1168e83ffcfbb5d1743bb9bbae34658fbb921d93186e49032eb0eb8fa8b7be28d6b57e9c4338c05f21036bdaac81f67bcea03ddb68c3a9055

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks