Overview

overview

10

Static

static

10

d160a82b9e...39.dll

windows7_x64

10

d160a82b9e...39.dll

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16-07-2021 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d160a82b9eb5124d9a5da6ded92f40635464cbcdf357feb471a7e87fc56a8339.dll

  • Size

    60KB

  • MD5

    fd52ace064492971c79ae679d1326aef

  • SHA1

    b8fb62eaf0415586a1949863c1981d543199179b

  • SHA256

    d160a82b9eb5124d9a5da6ded92f40635464cbcdf357feb471a7e87fc56a8339

  • SHA512

    1249c6d8f72e45631d47bf27489761963bd2148e0c0ec1743973bbf386268cd2a9be65bc8fa6d1d9a38ada8b35e8e78f6f02a0780af12d50c461ddeec12ca10b

Score
10/10
gozi_rm3210307bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

210307

C2

https://thetopdomain.xyz

Attributes
  • build

    300960

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d160a82b9eb5124d9a5da6ded92f40635464cbcdf357feb471a7e87fc56a8339.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\d160a82b9eb5124d9a5da6ded92f40635464cbcdf357feb471a7e87fc56a8339.dll
      2⤵
        PID:3408
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:192
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:192 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2236
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:364
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:364 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3872
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3876 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2524
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2796
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3116 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2240
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3940 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1136
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3460
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1628

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/192-118-0x00007FFDD8020000-0x00007FFDD808B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/364-122-0x00007FFDE7D60000-0x00007FFDE7DCB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/956-134-0x00007FFDECD90000-0x00007FFDECDFB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1136-131-0x0000000000000000-mapping.dmp
      Download
    • memory/1512-121-0x0000000000000000-mapping.dmp
      Download
    • memory/1628-135-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-126-0x00007FFDE7D60000-0x00007FFDE7DCB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/2052-132-0x00007FFDE7D60000-0x00007FFDE7DCB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/2236-119-0x0000000000000000-mapping.dmp
      Download
    • memory/2240-129-0x0000000000000000-mapping.dmp
      Download
    • memory/2524-125-0x0000000000000000-mapping.dmp
      Download
    • memory/2616-120-0x00007FFDE7D60000-0x00007FFDE7DCB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/2796-127-0x0000000000000000-mapping.dmp
      Download
    • memory/3116-128-0x00007FFDE7D60000-0x00007FFDE7DCB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3408-115-0x0000000000130000-0x0000000000143000-memory.dmp
      Filesize

      76KB

      Download
    • memory/3408-114-0x0000000000000000-mapping.dmp
      Download
    • memory/3460-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3872-123-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-124-0x00007FFDE7D60000-0x00007FFDE7DCB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3940-130-0x00007FFDE7D60000-0x00007FFDE7DCB000-memory.dmp
      Filesize

      428KB

      Download