Overview

overview

10

Static

static

10

76cf0ed8a2...75.dll

windows7_x64

10

76cf0ed8a2...75.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76cf0ed8a2554286a643ffc0661f6e422b014644ff1a51ef4825ae8afb7c5375.dll

  • Size

    68KB

  • MD5

    eb437ea8590f9ee0f3723d1469a3699a

  • SHA1

    b46845d7d29ebe3a59b5502b490e70320898a01e

  • SHA256

    76cf0ed8a2554286a643ffc0661f6e422b014644ff1a51ef4825ae8afb7c5375

  • SHA512

    92924519780572c2ea1a4eb33b387ea4ca030cbfc734991f1724d5f77e5efa91bd0e1baadc67334ebba3b12a7c80fefcac9f2209c76a0a885aed6a3bf21a1fb9

Score
10/10
gozi_rm32020109324bankerpersistencetrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

2020109324

C2

https://bonderlas.xyz

Attributes
  • build

    300932

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Sets service image path in registry 2 TTPs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\76cf0ed8a2554286a643ffc0661f6e422b014644ff1a51ef4825ae8afb7c5375.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\76cf0ed8a2554286a643ffc0661f6e422b014644ff1a51ef4825ae8afb7c5375.dll
      2⤵
        PID:832
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2084
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1912
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
        1⤵
          PID:320
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3712
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3860
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 15d7e4ebb6fd9526688841603a7e4106 kwQiZ2u1hUyAo79KquAR8A.0.1.0.0.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:2288
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3504
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3504 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3008
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:17410 /prefetch:2
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:1404

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/832-130-0x0000000003020000-0x0000000003032000-memory.dmp

          Filesize

          72KB

          Download