gozi_rm3 | ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b

Sharing

Copy URL

Twitter E-mail

General

Target

ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b
Size

53KB
MD5

b0fecfeb86217600bc3308aae08a2b82
SHA1

d40b663632d57b9c5449d3a080ba3895b0a138d6
SHA256

ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b
SHA512

2ced7bc4a542644e6341a80e66060fb118a7275352e2e60a00e4276bba5886dcf1a6f815bf1e27f58090dfe80251cd8ab08336699a4efa86fd191b7bcee3a553
SSDEEP

1536:yx+YP9ePXkAOiWKE4D3dF6eRdfQc1QQIwReyUP:yx+YsPhOwD+qdfn/tReyUP

Score

10^/10

201908051 gozi_rm3

Malware Config

Extracted

Family

gozi_rm3

Attributes

exe_type
loader

Extracted

Family

gozi_rm3

Botnet

201908051

https://corpington.pw

Attributes

build
300768
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_rm3 family
gozi_rm3

Ursnif RM3 loader 1 IoCs

Detected the Ursnif RM3 loader, which is a heavily modified version of the Ursnif one.

resource	yara_rule
sample	ursnif_rm3

Files

ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b
.dll windows x86

ee389137853bb0befba0238f367463bd

Code Sign

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

sprintf
_snprintf
strchr
strcpy
NtCreateKey
NtDeleteValueKey
RtlInitUnicodeString
NtSetValueKey
memmove
wcstombs
NtOpenProcessToken
_allmul
_aulldiv
NtClose
NtQueryInformationToken
RtlNtStatusToDosError
wcsrchr
NtQueryInformationProcess
_wcsupr
NtQueryVirtualMemory
_snwprintf
mbstowcs
RtlImageNtHeader
wcschr
memcpy
memset
RtlUnwind

shlwapi

StrChrW
StrStrA
StrStrIW
StrChrA
StrStrIA
StrTrimA
ord176
PathCombineW
StrToIntExA

kernel32

CreateWaitableTimerW
GetProcAddress
VirtualAlloc
Sleep
VirtualProtect
WaitForSingleObject
HeapCreate
CreateWaitableTimerA
lstrlenA
GetModuleHandleA
WaitForMultipleObjects
lstrlenW
SetWaitableTimer
GetSystemTimeAsFileTime
VirtualFree
CreateEventW
CreateMutexW
lstrcatW
SetEvent
EnterCriticalSection
GetLastError
LoadLibraryA
CloseHandle
lstrcmpW
SwitchToThread
lstrcatA
MultiByteToWideChar
lstrcpyA
InterlockedIncrement
lstrcpyW
QueryPerformanceFrequency
QueryPerformanceCounter
GetComputerNameW
InterlockedDecrement
OpenProcess
InitializeCriticalSection
CreateEventA
GetCurrentProcessId
ProcessIdToSessionId
ResetEvent
GetModuleFileNameW
HeapFree
HeapAlloc
ExpandEnvironmentStringsW
LeaveCriticalSection

user32

wsprintfW
wsprintfA

advapi32

OpenProcessToken
RegEnumKeyExW
GetUserNameW
GetSidSubAuthorityCount
RegCloseKey
GetTokenInformation
GetSidSubAuthority
RegSetValueExW
RegCreateKeyW

shell32

ShellExecuteW

ws2_32

inet_ntoa
inet_addr

winhttp

WinHttpCloseHandle
WinHttpQueryOption
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpSetTimeouts
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpSetOption
WinHttpConnect
WinHttpReadData
WinHttpWriteData
WinHttpSendRequest
WinHttpOpen

dnsapi

DnsQuery_A
DnsFree

ole32

CoInitializeEx
CoUninitialize
CoSetProxyBlanket
CoCreateInstance
CreateStreamOnHGlobal

oleaut32

SysFreeString
SysAllocString
SafeArrayCreate
SafeArrayDestroy

Sections

.text
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

ee389137853bb0befba0238f367463bd

Code Sign

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

shell32

ws2_32

winhttp

dnsapi

ole32

oleaut32

Sections

.text Size: 40KB - Virtual size: 40KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 620B

.bss Size: 3KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 8KB

.text
Size: 40KB - Virtual size: 40KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 620B

.bss
Size: 3KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 8KB