Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-11-2021 06:18
General
-
Target
1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44.dll.exe
-
Size
1.8MB
-
MD5
dc5e63f80e1adc0ca0e130be0d6a08c4
-
SHA1
8ee4915518f67171eaabc5a9464faf3588d29c87
-
SHA256
1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44
-
SHA512
6abaf1c379948302fe164e2a99e57aa26d936202a8250c6e116e72e8dbd93919ddf37832a0fdc11da008aa40f7b38f1c7d95b072ee7175addb4a1e4b611a0858
Score
10/10
Malware Config
Extracted
Family
gozi_rm3
Attributes
-
build
300848
Extracted
Family
gozi_rm3
Botnet
8483
C2
https://votboo.xyz
Attributes
-
build
300848
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
-
Modifies Internet Explorer settings 1 TTPs 41 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44.dll.exe"C:\Users\Admin\AppData\Local\Temp\1c359f210df80175b3fe8205db122f9380bbf4fcf2eabfc10c98a32d79e21c44.dll.exe"1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:82948 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
60KB
-
Filesize
2.8MB