Overview

overview

10

Static

static

Software T...td.exe

windows7_x64

10

Software T...td.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    25-05-2021 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Software Two Pty Ltd.exe

  • Size

    279KB

  • MD5

    e51e8d553d497180c028cbd9b3123d32

  • SHA1

    902d5707d5e8d6d4e6f6e60e1b95aea5609723c6

  • SHA256

    8f6b3ca7b7afd249f3fc68f7ff2ce5ca5a206c2a1d123b5ac3aa28bf7f1eabd8

  • SHA512

    5ed08018b744233fd72f3c283b55e3809cc628e6d82edcbdf6f9ae6170c6e20faa8fc499d0949fc68695f98d757701418247b955f261a95bf7b6dc31b155f437

Score
10/10
gozi_rm3202105141bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

202105141

C2

https://robonight.xyz

Attributes
  • build

    300968

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Software Two Pty Ltd.exe
    "C:\Users\Admin\AppData\Local\Temp\Software Two Pty Ltd.exe"
    1⤵
      PID:2016
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1304 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3924
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3808
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1508
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3832 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2268
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1360
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3280 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1012
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3944
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
      MD5

      9bd290c73c295139470b5a56f8d857bb

      SHA1

      c838907b18895bc98a601e27c30b5de9acef88e7

      SHA256

      bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968

      SHA512

      c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
      MD5

      d6469b8a9d60b54741d3d757ff526490

      SHA1

      ce51c2303e2367b5933a581ca48adeba105cca75

      SHA256

      bf4ab2b2d396bf4bc8d68df7d5d302b1e393575fd0a09b8336bf3ded3ffe28bc

      SHA512

      d27606ca5dc4e23b28076a91fd4448e65b1f7d83187d6a9bb21c43ef7da97f80242f5c4302077cece8b14caec01aeae365035c64f0aba2ee2222568aabcbfba0

      Download Submit

    • memory/764-129-0x00007FFDFDBA0000-0x00007FFDFDC0B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/788-133-0x00007FFDFDBA0000-0x00007FFDFDC0B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/848-121-0x00007FFDFDBA0000-0x00007FFDFDC0B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/1012-132-0x0000000000000000-mapping.dmp

      Download

    • memory/1304-119-0x00007FFDED110000-0x00007FFDED17B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/1360-130-0x0000000000000000-mapping.dmp

      Download

    • memory/1508-126-0x0000000000000000-mapping.dmp

      Download

    • memory/1744-135-0x00007FFDFDBA0000-0x00007FFDFDC0B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/1972-136-0x0000000000000000-mapping.dmp

      Download

    • memory/2016-115-0x0000000000550000-0x0000000000564000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2016-118-0x0000000001000000-0x0000000001055000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2016-117-0x0000000000450000-0x000000000045E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2268-128-0x0000000000000000-mapping.dmp

      Download

    • memory/2752-125-0x00007FFDFDBA0000-0x00007FFDFDC0B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/3280-131-0x00007FFDFDBA0000-0x00007FFDFDC0B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/3808-122-0x0000000000000000-mapping.dmp

      Download

    • memory/3832-127-0x00007FFDFDBA0000-0x00007FFDFDC0B000-memory.dmp

      Filesize

      428KB

      Download

    • memory/3924-120-0x0000000000000000-mapping.dmp

      Download

    • memory/3944-134-0x0000000000000000-mapping.dmp

      Download