Overview

overview

10

Static

static

6c4e132823...ae.exe

windows7_x64

10

6c4e132823...ae.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10/09/2021, 16:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c4e1328230fd65c2c8232e7b9f838ae.exe

  • Size

    880KB

  • MD5

    6c4e1328230fd65c2c8232e7b9f838ae

  • SHA1

    9cfbf6477457d26555e37ad3717cccd3aadc7dbe

  • SHA256

    31941577d287f7445f2791c78da17ffcd54baee40acf61dc0ff27a3f1d5253e6

  • SHA512

    062c9fa2241227752ead4f15d05e3c3df8f685538765e527f4929ed3e94f3f37f89f60764b531a0c935e878b7710ea4174ae6f9b48e7c8aa8066176e57fdf733

Score
10/10
gozi_rm3202108021bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300981

Extracted

Family

gozi_rm3

Botnet

202108021

C2

https://haverit.xyz

Attributes
  • build

    300981

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGhMA0GCSqGSIb3DQEBAQUAA4GPADCBiwKBgQDQvSE+pGC5ueFuFpsWZNFb2D62
3
JrHBcRqgYrVTvdjBpXuaQW5ardkd9dQbqV/m9lqnAPR/0bzeIxp3S25u4aysggiU
4
q9vS8NOAX5OUj/9xYDDmNGC4wwov91iWFs2zVQq/NK3xbdAoFHf4tBEbHMqwBYO0
5
yXwvy6ct9gfu47z1YQIFAOO89WE=
6
-----END PUBLIC KEY-----
aes.plain
1
kUQPFKASLooZS1Lr

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c4e1328230fd65c2c8232e7b9f838ae.exe
    "C:\Users\Admin\AppData\Local\Temp\6c4e1328230fd65c2c8232e7b9f838ae.exe"
    1⤵
      PID:628
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4016 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:768
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3096 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3612
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1728
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4016 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2308
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:82945 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:4056
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1288

    Network

    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    • flag-us
      DNS
      haverit.xyz
      IEXPLORE.EXE
      Remote address:
      8.8.8.8:53
      Request
      haverit.xyz
      IN A
      Response
    No results found
    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       57 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    • 8.8.8.8:53
      haverit.xyz
      dns
      IEXPLORE.EXE
      57 B
       122 B
       1
      1

      DNS Request

      haverit.xyz

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/396-126-0x00007FFF84E50000-0x00007FFF84EBB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/628-115-0x0000000001000000-0x00000000010F4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/628-116-0x0000000000490000-0x0000000000491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/628-117-0x0000000000D60000-0x0000000000D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/628-114-0x0000000001000000-0x000000000100F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/748-130-0x00007FFF84E50000-0x00007FFF84EBB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/916-124-0x00007FFF84E50000-0x00007FFF84EBB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/1956-132-0x00007FFF84E50000-0x00007FFF84EBB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/3096-122-0x00007FFF84E50000-0x00007FFF84EBB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/4016-120-0x00007FFF84E50000-0x00007FFF84EBB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/4016-128-0x00007FFF84E50000-0x00007FFF84EBB000-memory.dmp

      Filesize

      428KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.