Overview

overview

10

Static

static

7bcf94551f...d4.exe

windows7_x64

10

7bcf94551f...d4.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4.exe

  • Size

    329KB

  • MD5

    b8dfb0c597f151c882146dc2a8ecd086

  • SHA1

    b8f5dcf26989fbfba9703442185b7e6d60739080

  • SHA256

    7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4

  • SHA512

    4307a9dc66a4abc82637b8a58cf18acdcba491434aedbf91c283d0c861fa4681b12ce2b60f043eeff8416b80280fc49ba12615ba35bc8630f7c5767db5cef3ad

Score
10/10
gozi_rm3202106191bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300974

  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

202106191

C2

https://gogorobest.xyz

Attributes
  • build

    300974

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4.exe
    "C:\Users\Admin\AppData\Local\Temp\7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4.exe"
    1⤵
      PID:1660
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:808
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1112
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:656
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:624
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:800
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1312
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1620
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1576

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
      MD5

      0675c0d0da9a6eac284a10c2ddda636a

      SHA1

      6c7856ef6be6b6fce283423cf9d48e7d101d7fa7

      SHA256

      7852903b2b3bd59c816aa0a74272a4c51bae13f38bb72a67f3fd04b50d061b50

      SHA512

      09a3f652bd943a7cc3def436c9fe769bf5c30499b78d63598fc2fc23fa15932a08d545354129fc346133efbda456edfe8d4a10bab5a50abe7d132c2228815232

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
      MD5

      33903bc82111f229f0d3253b54e7dc56

      SHA1

      3c251b0440960195337ed9608a786a5aa44adea5

      SHA256

      a5599d4d4c3755410c3f394e1351e788375e8e487b9b4525e2e671ce9a9262c5

      SHA512

      a374919bb96e04dcd17038ef8638c22602e8969e2b6ace2060beec85dc39781bfcaa1bf31ab54898e1279d05c71d37a78d92c43d3679ce1df890d08799419795

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E1A1F5F9038B3A725570AC643199BE3
      MD5

      1f2bc239e5eaee908952ee78fc85d40a

      SHA1

      1c6ec44ebf112b4114d88a4cb9481d8256560bcc

      SHA256

      58cc42d2628227c13950db87d60e23784bcef3e10be7ab198afc854923feee15

      SHA512

      8b1a1d18693e94a75bf09aa2de7e832ad1caf08eb558897fcfa5ba5c3c5b3111dd027171bfe6f695558ba2ae2e8e13f98d9389dd8282d56b6f6244385e26ba3a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
      MD5

      ea60cbc9902c455976d85360b9268196

      SHA1

      9deb399095d7922fea0b985c9dbb8c569b4f363d

      SHA256

      2a11cd5e396edbc4de5425587c1d3aa18f8ff14ee7aa39f69af5112c576297be

      SHA512

      450e767e201e01843b7ee04d20da8c1cfdfa399b39753e78fff4dfb811c63bb1e1b8c423541b7a46190c46d08da4d6566b966df8ef3a6405dcbd47d6807c160e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
      MD5

      4a2f7aaf9bf9a5081e83f67150d761e1

      SHA1

      2091c0a0fa6b78f6b55ce174d94769c4cec61f88

      SHA256

      bbafacbf5dfe5a0a4344ce8564022efc575047cca37f50d465d18a4a8aa532e0

      SHA512

      cb8d546e310cf5155305435ccd24c2395b79efa79459aeddc3f43054c0f2ed44477236dd16e2934576f0286e891faff03173acc364a9f773eedb4ae2cde13fe0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      2048a82c10a7841de835f75ae9a9dfca

      SHA1

      5704eaf21717c7afcb4a495bd109f0f979bc778f

      SHA256

      73bccf661878f84d2d4a95514c38a7485bb630c7d12b999173e3c73e84d27c61

      SHA512

      8f9fd2ec31ab8018d7480e1c3111433ce1218c97023ecc42aafe42f111307417462c2fa00be8173fe8f3c96290d46929f9948c6a5fa63abb56da25394a9ac7ab

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E1A1F5F9038B3A725570AC643199BE3
      MD5

      93725b54f4ba80fa11a2db32adca2031

      SHA1

      20528808dfb159669c30cab1b6c5d205cc79e6bf

      SHA256

      a90f0866d391d72ff7cb9944d55de021e98775d5922794d6abc3a7707b7e55c0

      SHA512

      474e923e00177034748f69c0c9ebbd1bd5380208f5d7fb23a24589cd26f693774b7754ac23f18386b5cd5975bd7c09129002ec7d2cf7e87090708288a77b753e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      5d822c3f29249a7f8e807fd6a8257f81

      SHA1

      9543727dcacb0850b0fb4fa7df3fa903f5c7b9e8

      SHA256

      513edb04e685a10608768f6eaeaa55916969f7048fb4b22fcc94dfc78d4bf453

      SHA512

      a038cf3894465064d54fbde1b99146241a07bff7f9aeae5327f4d32eea62a55a8c944e2a880bdd0cfa1f6484353fcd60324fec5cebd3e7e987fa51b04b312a9f

      Download Submit
    • memory/624-82-0x0000000000000000-mapping.dmp
      Download
    • memory/656-77-0x0000000000000000-mapping.dmp
      Download
    • memory/656-79-0x0000000000E60000-0x0000000000E62000-memory.dmp
      Filesize

      8KB

      Download
    • memory/764-76-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/800-85-0x0000000000000000-mapping.dmp
      Download
    • memory/808-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1112-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1312-86-0x0000000000000000-mapping.dmp
      Download
    • memory/1488-84-0x0000000002130000-0x0000000002140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1576-88-0x0000000000000000-mapping.dmp
      Download
    • memory/1620-87-0x0000000000000000-mapping.dmp
      Download
    • memory/1660-64-0x00000000001B0000-0x00000000001BC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1660-60-0x0000000076E11000-0x0000000076E13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1660-61-0x00000000001C0000-0x00000000001D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1660-65-0x0000000001000000-0x00000000014F0000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/1660-67-0x00000000001F0000-0x00000000001F2000-memory.dmp
      Filesize

      8KB

      Download