Overview

overview

10

Static

static

Software T...td.exe

windows7_x64

10

Software T...td.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    25-05-2021 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Software Two Pty Ltd.exe

  • Size

    279KB

  • MD5

    e51e8d553d497180c028cbd9b3123d32

  • SHA1

    902d5707d5e8d6d4e6f6e60e1b95aea5609723c6

  • SHA256

    8f6b3ca7b7afd249f3fc68f7ff2ce5ca5a206c2a1d123b5ac3aa28bf7f1eabd8

  • SHA512

    5ed08018b744233fd72f3c283b55e3809cc628e6d82edcbdf6f9ae6170c6e20faa8fc499d0949fc68695f98d757701418247b955f261a95bf7b6dc31b155f437

Score
10/10
gozi_rm3202105141bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

202105141

C2

https://robonight.xyz

Attributes
  • build

    300968

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Software Two Pty Ltd.exe
    "C:\Users\Admin\AppData\Local\Temp\Software Two Pty Ltd.exe"
    1⤵
      PID:2020
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:804 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1172
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:468 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1368
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1960
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1620
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1532
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:916

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
      MD5

      9bd290c73c295139470b5a56f8d857bb

      SHA1

      c838907b18895bc98a601e27c30b5de9acef88e7

      SHA256

      bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968

      SHA512

      c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
      MD5

      3f63502483e8d44bd0d349a120d22559

      SHA1

      fbf83af1e4f12c5a67ac03fbea0fa2f06ee0a83d

      SHA256

      5d5fcab149acdeb07066d868455f71fa67888d2be45612999371d05618a5d7ad

      SHA512

      978cb22c98102d353113a05c26cbd103747ab70ced6298a7eccb696464ca6fb845b71ee43267d0846244f0807296be0c61c7ac7dee36c3414bf9e4d6f632449b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      3eb3df31f44fc46b126601ab7e35125d

      SHA1

      28dd6d0f39662c4e3d2924b2def5ea23442128da

      SHA256

      3e374a3938f18e3655ab2727003ed0584f069a3ae3c6a6dc05050e1de8aa7567

      SHA512

      a10e20914285e8f9c3fba17a1b87752a328640a4b7f69aa3bf07d69a0e57dc8bce1a1639f25dbc8e10b9d3d963b71ad2c98a62c2bc2ea9ae510567b072bc2806

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      b4e404dc4737c8d6c4f10d66b434a618

      SHA1

      f717ea6750dd0f33bc8be2b6f42ff35de9a33d27

      SHA256

      b955159c2ae330b2184882b3c8bfd5d347ba8b31f2b2fa1d7f2edd6bcbbc5871

      SHA512

      aecec47b460e7f4a7b6eef8a485abf97a5a2aec70cce89d505b19750460ea3c066aeda317579ed5142d49c9ef34bbe317b799d1f8438cc74b55e1840a05600d4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
      MD5

      191216daa628cbbe4b827ddc779a7580

      SHA1

      408b25bf776366ba5a0b0b447e9f6fd448ce1985

      SHA256

      1e28ac8088f09f283c25eb68f99ccde0f3086c7a5aa5d6cc49845ba2d2e28b8a

      SHA512

      a5c3f182e1b3c10d278c8f7bee566e350d5bf84618a784804d52c29914527ea9dd18cebbd00d80b9ed6225e602777b2dd470f2ed6e19f1e60dc07e9336bad651

      Download Submit
    • memory/804-66-0x0000000002150000-0x0000000002160000-memory.dmp
      Filesize

      64KB

      Download
    • memory/804-65-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
      Filesize

      8KB

      Download
    • memory/916-84-0x0000000000000000-mapping.dmp
      Download
    • memory/1172-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1368-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1532-83-0x0000000000000000-mapping.dmp
      Download
    • memory/1620-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1960-79-0x00000000021D0000-0x00000000021D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1960-77-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-59-0x0000000000230000-0x000000000023E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2020-61-0x0000000076281000-0x0000000076283000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2020-62-0x0000000000240000-0x0000000000254000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2020-68-0x0000000000290000-0x0000000000292000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2020-60-0x0000000001000000-0x0000000001055000-memory.dmp
      Filesize

      340KB

      Download