Overview

overview

10

Static

static

7bcf94551f...d4.exe

windows7_x64

10

7bcf94551f...d4.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-06-2021 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4.exe

  • Size

    329KB

  • MD5

    b8dfb0c597f151c882146dc2a8ecd086

  • SHA1

    b8f5dcf26989fbfba9703442185b7e6d60739080

  • SHA256

    7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4

  • SHA512

    4307a9dc66a4abc82637b8a58cf18acdcba491434aedbf91c283d0c861fa4681b12ce2b60f043eeff8416b80280fc49ba12615ba35bc8630f7c5767db5cef3ad

Score
10/10
gozi_rm3202106191bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300974

  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

202106191

C2

https://gogorobest.xyz

Attributes
  • build

    300974

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4.exe
    "C:\Users\Admin\AppData\Local\Temp\7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4.exe"
    1⤵
      PID:656
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1292
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2884
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3244
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3228
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1508
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3272 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2556
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3676

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
      MD5

      0675c0d0da9a6eac284a10c2ddda636a

      SHA1

      6c7856ef6be6b6fce283423cf9d48e7d101d7fa7

      SHA256

      7852903b2b3bd59c816aa0a74272a4c51bae13f38bb72a67f3fd04b50d061b50

      SHA512

      09a3f652bd943a7cc3def436c9fe769bf5c30499b78d63598fc2fc23fa15932a08d545354129fc346133efbda456edfe8d4a10bab5a50abe7d132c2228815232

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
      MD5

      33903bc82111f229f0d3253b54e7dc56

      SHA1

      3c251b0440960195337ed9608a786a5aa44adea5

      SHA256

      a5599d4d4c3755410c3f394e1351e788375e8e487b9b4525e2e671ce9a9262c5

      SHA512

      a374919bb96e04dcd17038ef8638c22602e8969e2b6ace2060beec85dc39781bfcaa1bf31ab54898e1279d05c71d37a78d92c43d3679ce1df890d08799419795

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E1A1F5F9038B3A725570AC643199BE3
      MD5

      1f2bc239e5eaee908952ee78fc85d40a

      SHA1

      1c6ec44ebf112b4114d88a4cb9481d8256560bcc

      SHA256

      58cc42d2628227c13950db87d60e23784bcef3e10be7ab198afc854923feee15

      SHA512

      8b1a1d18693e94a75bf09aa2de7e832ad1caf08eb558897fcfa5ba5c3c5b3111dd027171bfe6f695558ba2ae2e8e13f98d9389dd8282d56b6f6244385e26ba3a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
      MD5

      2f0ee876ab53bbd4dde2db306b595eb2

      SHA1

      ad2b8aac4a4fa602bd96e408466d8822a3702d3e

      SHA256

      9188c3cd0d4d7784b6bb18248973916752120121903b3f9e0c3cfcea09736360

      SHA512

      44278b5f9cea379e5ca67729deb3cb6819e362890831acd5c1f607357d28118399a5e7633aa9e1b7d27a9675b42b551312cf4c5754d8dea5ef8a1c4851f96626

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
      MD5

      c64fca51ddf3c611072b7129e5f3f9c7

      SHA1

      51e584e4656964132be05ce62d64aa7284dd418f

      SHA256

      5b5e32de2c37572aa862ff920c03e44ae2e2a07d6e4ff6667d93c50a7bcfae3e

      SHA512

      f4e80aec2ae82ffe261d1a64bb3b09d00ffad860ba69a7872dfa8bb1ea4df63b351615b92bf62300ab64ae17c2f1af1934d1ea521be971eea17648c90f634ea1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E1A1F5F9038B3A725570AC643199BE3
      MD5

      23d3aed5e2d53b8bc9c2eeeb95d717ca

      SHA1

      9f9a60a7d1cc31042bcb6618addb6ac80a1c62e0

      SHA256

      22caec3c3240b061fd5f533cf39464f9120b6483459dad4226a372a760e56256

      SHA512

      cc764aacb86fc2aa5df1bc262c0cf6b3cf336e9024bc0b96ea457f129b9f0fafa702300bc1fed5580a2ba84bede29b6d96641d8b6c11205307c9eb229195aca8

      Download Submit
    • memory/396-131-0x00007FFA8C4D0000-0x00007FFA8C53B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/512-122-0x0000000000000000-mapping.dmp
      Download
    • memory/656-118-0x0000000001000000-0x00000000014F0000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/656-115-0x0000000000540000-0x0000000000550000-memory.dmp
      Filesize

      64KB

      Download
    • memory/656-117-0x0000000000520000-0x000000000052C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1212-133-0x00007FFA8C4D0000-0x00007FFA8C53B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1292-120-0x0000000000000000-mapping.dmp
      Download
    • memory/1464-139-0x00007FFA8C4D0000-0x00007FFA8C53B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1508-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-135-0x00007FFA8C4D0000-0x00007FFA8C53B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1812-121-0x00007FFA8C4D0000-0x00007FFA8C53B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1972-119-0x00007FFA7C730000-0x00007FFA7C79B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/2112-129-0x00007FFA8C4D0000-0x00007FFA8C53B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/2556-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2884-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3228-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3244-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3272-137-0x00007FFA8C4D0000-0x00007FFA8C53B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3676-140-0x0000000000000000-mapping.dmp
      Download