Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10-09-2021 10:12

General

  • Target

    79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe

  • Size

    880KB

  • MD5

    2c3bd0e45218c8638c0322903d0ab9ac

  • SHA1

    68af748a4745b51db646f4271712deee12a13880

  • SHA256

    79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f

  • SHA512

    18f64310fb51c96f755c23ba2e31a1af7c69c3de8d49bc54f1761402620dd30a8d9c5edbea6ac18ff1ccd5c555d16ca04453dd568617b0c51b55f6d246a1414f

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300981

Extracted

Family

gozi_rm3

Botnet

202108021

C2

https://haverit.xyz

Attributes
  • build

    300981

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGhMA0GCSqGSIb3DQEBAQUAA4GPADCBiwKBgQDQvSE+pGC5ueFuFpsWZNFb2D62
3
JrHBcRqgYrVTvdjBpXuaQW5ardkd9dQbqV/m9lqnAPR/0bzeIxp3S25u4aysggiU
4
q9vS8NOAX5OUj/9xYDDmNGC4wwov91iWFs2zVQq/NK3xbdAoFHf4tBEbHMqwBYO0
5
yXwvy6ct9gfu47z1YQIFAOO89WE=
6
-----END PUBLIC KEY-----
aes.plain
1
kUQPFKASLooZS1Lr

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
    "C:\Users\Admin\AppData\Local\Temp\79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe"
    1⤵
      PID:3260
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:404 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1220
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1736
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1300
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3964
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1640
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:500
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1300 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2008
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:644

    Network

    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    No results found
    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      79267d6392623e9a0ae504377252545990ff860c3c5498d3e32825de8057cd7f.exe
      57 B
      122 B
      1
      1

      DNS Request

      haverit.xyz

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/404-120-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/604-128-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/1300-132-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/1488-130-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/1788-122-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/2300-124-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/2352-126-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/2992-134-0x00007FFAA7FB0000-0x00007FFAA801B000-memory.dmp

      Filesize

      428KB

    • memory/3260-119-0x0000000000490000-0x00000000005DA000-memory.dmp

      Filesize

      1.3MB

    • memory/3260-117-0x0000000000580000-0x0000000000590000-memory.dmp

      Filesize

      64KB

    • memory/3260-114-0x0000000001000000-0x000000000100F000-memory.dmp

      Filesize

      60KB

    • memory/3260-115-0x0000000001000000-0x00000000010F4000-memory.dmp

      Filesize

      976KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.