Overview

overview

10

Static

static

8f6b3ca7b7...d8.exe

windows7_x64

10

8f6b3ca7b7...d8.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-05-2021 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f6b3ca7b7afd249f3fc68f7ff2ce5ca5a206c2a1d123b5ac3aa28bf7f1eabd8.exe

  • Size

    279KB

  • MD5

    e51e8d553d497180c028cbd9b3123d32

  • SHA1

    902d5707d5e8d6d4e6f6e60e1b95aea5609723c6

  • SHA256

    8f6b3ca7b7afd249f3fc68f7ff2ce5ca5a206c2a1d123b5ac3aa28bf7f1eabd8

  • SHA512

    5ed08018b744233fd72f3c283b55e3809cc628e6d82edcbdf6f9ae6170c6e20faa8fc499d0949fc68695f98d757701418247b955f261a95bf7b6dc31b155f437

Score
10/10
gozi_rm3202105141bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

202105141

C2

https://robonight.xyz

Attributes
  • build

    300968

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f6b3ca7b7afd249f3fc68f7ff2ce5ca5a206c2a1d123b5ac3aa28bf7f1eabd8.exe
    "C:\Users\Admin\AppData\Local\Temp\8f6b3ca7b7afd249f3fc68f7ff2ce5ca5a206c2a1d123b5ac3aa28bf7f1eabd8.exe"
    1⤵
      PID:3904
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3364 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4092
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:192
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:192 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3100
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2128
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2208
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3864
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1588
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:580
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1896

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
      MD5

      9bd290c73c295139470b5a56f8d857bb

      SHA1

      c838907b18895bc98a601e27c30b5de9acef88e7

      SHA256

      bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968

      SHA512

      c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
      MD5

      ee7dfef539382e021c014a341abeef4e

      SHA1

      1a04f4b37d0c3b593aabcbe8b30b2410ac3e2061

      SHA256

      9f1fa0bd5bbb23e37d4a49220ba1069409bb4f9dda87c3e32d7749ff0034bfbf

      SHA512

      01cc73f9434fd6fe7608de907288a5c897c3786f1da6270c19eb73fd28dcb91d80b8e1fdf6d737bbf714a69cc7ea49235e850e67772e70845f4d87b2a9817698

      Download Submit
    • memory/192-121-0x00007FFA57D90000-0x00007FFA57DFB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/580-134-0x0000000000000000-mapping.dmp
      Download
    • memory/644-131-0x00007FFA57EA0000-0x00007FFA57F0B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1192-133-0x00007FFA57EA0000-0x00007FFA57F0B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1352-129-0x00007FFA57EA0000-0x00007FFA57F0B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1532-125-0x00007FFA57D90000-0x00007FFA57DFB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1588-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1768-127-0x00007FFA57EA0000-0x00007FFA57F0B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1896-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2128-126-0x0000000000000000-mapping.dmp
      Download
    • memory/2208-128-0x0000000000000000-mapping.dmp
      Download
    • memory/2480-135-0x00007FFA57EA0000-0x00007FFA57F0B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3100-122-0x0000000000000000-mapping.dmp
      Download
    • memory/3364-119-0x00007FFA471B0000-0x00007FFA4721B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3864-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3904-115-0x0000000000530000-0x0000000000544000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3904-118-0x0000000001000000-0x0000000001055000-memory.dmp
      Filesize

      340KB

      Download
    • memory/3904-117-0x0000000000400000-0x000000000054A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/4092-120-0x0000000000000000-mapping.dmp
      Download