Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10-09-2021 07:11

General

  • Target

    XKArsO.exe_.exe

  • Size

    880KB

  • MD5

    e40c8ed836ffe0f83e1e5183fd01b7dd

  • SHA1

    96f9957f985f4258b92ae2750bc012f4938bb632

  • SHA256

    cd0a53dd2613409da460ac1b8274b6f6e6832c4f6454782604a6429dad31aebc

  • SHA512

    8aed42d7e91c850a49b09493c6d7f37d4056541ec530aba0e1c3f2fd9d161538728a46d3f9d62b4f06be5aa86f798427d6daf4cc39c13c6b592cea6c6a32b635

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300981

Extracted

Family

gozi_rm3

Botnet

202108021

C2

https://haverit.xyz

Attributes
  • build

    300981

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGhMA0GCSqGSIb3DQEBAQUAA4GPADCBiwKBgQDQvSE+pGC5ueFuFpsWZNFb2D62
3
JrHBcRqgYrVTvdjBpXuaQW5ardkd9dQbqV/m9lqnAPR/0bzeIxp3S25u4aysggiU
4
q9vS8NOAX5OUj/9xYDDmNGC4wwov91iWFs2zVQq/NK3xbdAoFHf4tBEbHMqwBYO0
5
yXwvy6ct9gfu47z1YQIFAOO89WE=
6
-----END PUBLIC KEY-----
aes.plain
1
kUQPFKASLooZS1Lr

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XKArsO.exe_.exe
    "C:\Users\Admin\AppData\Local\Temp\XKArsO.exe_.exe"
    1⤵
      PID:4060
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1700
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4028 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3492
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3920 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3472
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3936
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:3672
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:996
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1188
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:192

    Network

    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      XKArsO.exe_.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    No results found
    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      XKArsO.exe_.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1132-120-0x00007FFAA2FD0000-0x00007FFAA303B000-memory.dmp

      Filesize

      428KB

    • memory/1212-130-0x00007FFAA43D0000-0x00007FFAA443B000-memory.dmp

      Filesize

      428KB

    • memory/1548-134-0x00007FFAA4E10000-0x00007FFAA4E7B000-memory.dmp

      Filesize

      428KB

    • memory/2152-132-0x00007FFAA43D0000-0x00007FFAA443B000-memory.dmp

      Filesize

      428KB

    • memory/2160-126-0x00007FFAA43D0000-0x00007FFAA443B000-memory.dmp

      Filesize

      428KB

    • memory/2780-128-0x00007FFAA43D0000-0x00007FFAA443B000-memory.dmp

      Filesize

      428KB

    • memory/3920-124-0x00007FFAA43D0000-0x00007FFAA443B000-memory.dmp

      Filesize

      428KB

    • memory/4028-122-0x00007FFAA2FD0000-0x00007FFAA303B000-memory.dmp

      Filesize

      428KB

    • memory/4060-114-0x0000000001000000-0x000000000100F000-memory.dmp

      Filesize

      60KB

    • memory/4060-117-0x00000000005B0000-0x00000000005C0000-memory.dmp

      Filesize

      64KB

    • memory/4060-116-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

    • memory/4060-115-0x0000000001000000-0x00000000010F4000-memory.dmp

      Filesize

      976KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.