Overview

overview

10

Static

static

tru.bin.dll

windows7_x64

10

tru.bin.dll

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-07-2021 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tru.bin.dll

  • Size

    395KB

  • MD5

    5522c21a05daf91658951bdf1c0e5271

  • SHA1

    fed4a9b4069cd2676928441ecf8c844cc7f4a9ee

  • SHA256

    eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993

  • SHA512

    d97a8021b9688c612e280ffcb5443916b9d09857daf82a62bd5efac35efeff138125466a74579568dd655cd66cd5085e10cedb4caf7981f4ee9f240839b33d55

Score
10/10
gozi_rm3202106221bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300974

Extracted

Family

gozi_rm3

Botnet

202106221

C2

https://bussipod.xyz

Attributes
  • build

    300974

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Blocklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\tru.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\tru.bin.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1668
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1240
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1740
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1980
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1948
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:340
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
    MD5

    0675c0d0da9a6eac284a10c2ddda636a

    SHA1

    6c7856ef6be6b6fce283423cf9d48e7d101d7fa7

    SHA256

    7852903b2b3bd59c816aa0a74272a4c51bae13f38bb72a67f3fd04b50d061b50

    SHA512

    09a3f652bd943a7cc3def436c9fe769bf5c30499b78d63598fc2fc23fa15932a08d545354129fc346133efbda456edfe8d4a10bab5a50abe7d132c2228815232

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
    MD5

    d33394b86db2d590028ae542551b5a67

    SHA1

    200fac7cc75d4da652d0918a6fcbae6f7ca2c5a3

    SHA256

    4d5ff3d32db0d6e78c27f1de69f614c507a0928d24f1de79360cea58096b3859

    SHA512

    114ceb2a930baeb652710387734691cf9d56d2f60d1db94d9095151b1f537b7c89f504c96f4591e863c0c218ad200485e97e77c06ebd4e60c33958ce24acf167

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
    MD5

    5714f89cee60134a78ef08463ded341b

    SHA1

    14c0609a929dda4687ef2dd6d7137d610110253f

    SHA256

    36c16b5068efe0c2f8e40974ffb155f5401a1b9ff20ebe86f5785bd03db10940

    SHA512

    33b7323e88bf1100f43dc09ff0593e8ef02a6e92b49de71cd910d7178eaef692eb6ff9447159ae0cc9f3f0b0d4ac85244a4a740001ebc2f969ca43f2ddda852c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
    MD5

    edb1b6f3610a08b2e030c6d83ea4cec4

    SHA1

    03c72d5fe8d321ae861f2c2d8081b08ad5c32356

    SHA256

    7ae4a2cfdd45b885e6bc9e9ea3b6aaaa1ea3bad56f3269ddff8647ff09594292

    SHA512

    fb3dd01001a57d529c90d8e6baa5f2c6bfb33d1c47936453b12f1090198172030d29c57f178405d057f7a57fb2e51504e773b961456f3f9c7aab765f1535caa7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    24855f7dc94dceb31e288d7b1c51fc4d

    SHA1

    51f3b88f65c87bc86d13cabbe52753b2b152fe0a

    SHA256

    81205a53e8c8501e321d8fdbd028902b3bcf0b4179dd439969b65b8b344ffd7c

    SHA512

    1912dd0a6fca04939d9d1d1d9f8d21e995995478f4d2b7796ee4abd11a20f0007658713e33f2df7a1345cea54e68adab580c82a8f8b7ab65dcba25ac2a42cf1c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    3fae8199b1dfae35afb0e47cd57701fd

    SHA1

    52ebefa4f8c0ac93a09cdb8ff9caf796e51de149

    SHA256

    f2c461f2f4fec2f68bd9c3b6d1f1807d69d822e7df40559c98bed92778500689

    SHA512

    c089d36fd7f89cdeafedc499ff62f568e326eb0cb6ca166fabb93c677a12a4457cc8360569589eaec639e748dcfebbdaf940c7ec32d843b88f0a55a38ada9be3

    Download Submit
  • memory/340-86-0x0000000000000000-mapping.dmp
    Download
  • memory/952-81-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1240-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1668-64-0x00000000001C0000-0x00000000001D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1668-68-0x0000000000270000-0x0000000000272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1668-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1668-63-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1668-61-0x0000000074D80000-0x0000000074D8F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1668-62-0x0000000074D80000-0x0000000074E81000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1668-60-0x00000000757C1000-0x00000000757C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1740-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1824-88-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-84-0x00000000001E0000-0x00000000001E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1980-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-78-0x00000000003E0000-0x00000000003E2000-memory.dmp
    Filesize

    8KB

    Download