Overview

overview

10

Static

static

31b94c5a94...ed.exe

windows7_x64

10

31b94c5a94...ed.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31b94c5a94aa8ce7e187360b0dc702b473d1c5d498d4de26f137b272ccbadaed.exe

  • Size

    315KB

  • MD5

    99246958839423b9af0d2ea872c505d9

  • SHA1

    6aba8c858610174bcff3c9cee57d8f7bc5d11564

  • SHA256

    31b94c5a94aa8ce7e187360b0dc702b473d1c5d498d4de26f137b272ccbadaed

  • SHA512

    b72cc152f2bb3799d678b4b371a85167ba441483a17d9a1c736df2a111abb0ad4ef7494939ed557ab25931a7fa35db52d0211f6899ed5a92f7e98756dfc0337e

Score
10/10
gozi_rm3202106191bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300974

Extracted

Family

gozi_rm3

Botnet

202106191

C2

https://gogorobest.xyz

Attributes
  • build

    300974

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31b94c5a94aa8ce7e187360b0dc702b473d1c5d498d4de26f137b272ccbadaed.exe
    "C:\Users\Admin\AppData\Local\Temp\31b94c5a94aa8ce7e187360b0dc702b473d1c5d498d4de26f137b272ccbadaed.exe"
    1⤵
      PID:1048
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:548
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1408
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:796 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1556
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:340
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1296
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:684
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1700
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1412 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:628

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
      MD5

      0675c0d0da9a6eac284a10c2ddda636a

      SHA1

      6c7856ef6be6b6fce283423cf9d48e7d101d7fa7

      SHA256

      7852903b2b3bd59c816aa0a74272a4c51bae13f38bb72a67f3fd04b50d061b50

      SHA512

      09a3f652bd943a7cc3def436c9fe769bf5c30499b78d63598fc2fc23fa15932a08d545354129fc346133efbda456edfe8d4a10bab5a50abe7d132c2228815232

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
      MD5

      33903bc82111f229f0d3253b54e7dc56

      SHA1

      3c251b0440960195337ed9608a786a5aa44adea5

      SHA256

      a5599d4d4c3755410c3f394e1351e788375e8e487b9b4525e2e671ce9a9262c5

      SHA512

      a374919bb96e04dcd17038ef8638c22602e8969e2b6ace2060beec85dc39781bfcaa1bf31ab54898e1279d05c71d37a78d92c43d3679ce1df890d08799419795

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E1A1F5F9038B3A725570AC643199BE3
      MD5

      1f2bc239e5eaee908952ee78fc85d40a

      SHA1

      1c6ec44ebf112b4114d88a4cb9481d8256560bcc

      SHA256

      58cc42d2628227c13950db87d60e23784bcef3e10be7ab198afc854923feee15

      SHA512

      8b1a1d18693e94a75bf09aa2de7e832ad1caf08eb558897fcfa5ba5c3c5b3111dd027171bfe6f695558ba2ae2e8e13f98d9389dd8282d56b6f6244385e26ba3a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
      MD5

      95959cb667c87e7ddf468087f8d147cf

      SHA1

      a4624c19c909295292cee877ea7c6c4d016b3530

      SHA256

      17a58392be3788f5727dc6f40312f0838efb8ceda33fe412cbe9ae014e0f059e

      SHA512

      490b5eefdd5cad38a353c10ebeb8ea3ded687378397a87150d4503b29daca2d6f3a0d861b2005bf90b34838cd67e146e0a92594f8958ba24659a4c4e181e5745

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
      MD5

      c3591f454cce0ae7ba2caa3df7577d8e

      SHA1

      e6e1a3204dd8921ad74a63ce052164b5542611ea

      SHA256

      4ae81ee7b78c7dbdbaabf01f8645b4389e632accecf344c6b76fba23960a238f

      SHA512

      baee11f09f14d407322bf3195e69b6e19c98caa98499e9f256bb8dad273624485fcf473584d87ba8cce639d5fdca3bc474e891353e264d39ee7eda5a4e785c8f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      1159601eb6ee2e5973a159473b6dfb75

      SHA1

      b8c1229f778a2e8fdb82dc5d43046ea28050c16a

      SHA256

      0eb7a14703fd1153944ffaccdc9d269025d692224a779e3e3cb16e0b6e439a6b

      SHA512

      877bca1704dc6291e9b8391d0e72a3bbcd6a4fc0c22be48840277a120cabb4891d7d8dd69d718303c234a290ca3a6f53ace9a7421d6f3813af798aa929b0abff

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E1A1F5F9038B3A725570AC643199BE3
      MD5

      903a06c43dd774746eb41514237722b8

      SHA1

      fa259817fbfd3ea13f44bfd2dad688feb805de8e

      SHA256

      2c0934013c426d17aa757c2cb13f6df95be002d9511aa4f2b16e34d41fd9ebb9

      SHA512

      1f4cf5447826978b25a80d27a2ced54376f1276777383bd9d143822ee2ef74362bf53146bc902d6842ff120cc8467a46ef515f92bfa66898fb503ac3605a11f9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      MD5

      efd7be3d2d85a5efba925a8be0874c42

      SHA1

      22a2e2ba33d410340a891053f092a3ba3d0356c5

      SHA256

      9b6734f0dd49f61e062722053ccf46493b1c353a1b37b964cf0d506eb833e6d2

      SHA512

      e14d32a67e3ea3db941bd61d20032b7459570d0e912d5b429239f73304e81c63be9fcf15cd99909ff9402c726d629e11fd8a999ef6b46d30e6c444727fe0ae31

      Download Submit
    • memory/340-81-0x0000000000000000-mapping.dmp
      Download
    • memory/548-65-0x0000000000000000-mapping.dmp
      Download
    • memory/628-88-0x0000000000000000-mapping.dmp
      Download
    • memory/684-83-0x0000000000000000-mapping.dmp
      Download
    • memory/1048-61-0x0000000001000000-0x00000000014EC000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/1048-62-0x0000000000230000-0x0000000000240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1048-59-0x0000000000220000-0x000000000022C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1048-60-0x0000000075721000-0x0000000075723000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1048-67-0x0000000000270000-0x0000000000272000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1296-82-0x0000000000000000-mapping.dmp
      Download
    • memory/1408-70-0x00000000005D0000-0x00000000005D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1408-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-78-0x0000000000000000-mapping.dmp
      Download
    • memory/1700-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1700-87-0x0000000000470000-0x0000000000472000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-84-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
      Filesize

      8KB

      Download