gozi_rm3 | 68a2b66cd3cf613dc575787660dc444c68ad256cb9264b64c189b230d0f8f287

Sharing

Copy URL

Twitter E-mail

General

Target

68a2b66cd3cf613dc575787660dc444c68ad256cb9264b64c189b230d0f8f287
Size

70KB
MD5

4adc87bc1193e51d12ba19ea89032054
SHA1

69a901e8560dfb1f44c533c52fe01f9981da183a
SHA256

68a2b66cd3cf613dc575787660dc444c68ad256cb9264b64c189b230d0f8f287
SHA512

f82cde15fb6172b08c5a84531bfb5533320940fb2549866171ef7073ee59cb5da30b89f6b7a32314cb9869e4d335c8e817ba322006e7929c8a4320f0d7ea3b32
SSDEEP

1536:XqQc1UOXOPXCbuh9qUWODNTVkj5Lxaq2w2cn4Dnyg6L:6nUOXOPybu+mNTVi552wXnayg6

Score

10^/10

201910081 gozi_rm3

Malware Config

Extracted

Family

gozi_rm3

Attributes

exe_type
loader

Extracted

Family

gozi_rm3

Botnet

201910081

https://kenneyai.xyz

Attributes

build
300787
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_rm3 family
gozi_rm3

Ursnif RM3 loader 1 IoCs

Detected the Ursnif RM3 loader, which is a heavily modified version of the Ursnif one.

resource	yara_rule
sample	ursnif_rm3

Files

68a2b66cd3cf613dc575787660dc444c68ad256cb9264b64c189b230d0f8f287
.dll windows x86

a445a7dad8d4af4e2ecce7db38d0d214

Code Sign

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

memmove
NtQueryVirtualMemory
NtQueryInformationProcess
NtQueryInformationToken
NtOpenProcessToken
_snwprintf
NtClose
RtlNtStatusToDosError
NtSetValueKey
NtDeleteValueKey
NtCreateKey
strchr
strcpy
sprintf
_allmul
_aulldiv
wcstombs
mbstowcs
wcsrchr
RtlInitUnicodeString
_wcsupr
RtlImageNtHeader
wcschr
memcpy
memset
_snprintf
RtlUnwind

shlwapi

StrToIntExA
StrChrW
PathFindFileNameW
StrStrIA
StrChrA
ord176
PathCombineW
StrTrimA
StrStrIW
StrStrA
PathFindExtensionW

kernel32

CreateWaitableTimerW
GetModuleHandleA
WaitForMultipleObjects
lstrlenW
GetProcAddress
GetSystemTimeAsFileTime
CreateEventW
SwitchToThread
VirtualFree
Sleep
CreateWaitableTimerA
DeleteFileW
HeapCreate
WaitForSingleObject
VirtualProtect
SetWaitableTimer
VirtualAlloc
QueryPerformanceFrequency
CreateThread
GetComputerNameW
InterlockedDecrement
FlushFileBuffers
ResetEvent
SetEndOfFile
GetTempPathW
SetFilePointer
CreateFileW
GetFileSize
ReadFile
GetTempFileNameW
WriteFile
GetCurrentThreadId
MultiByteToWideChar
lstrcatA
ExpandEnvironmentStringsW
lstrcpyA
DeleteCriticalSection
lstrcatW
SetEvent
EnterCriticalSection
LeaveCriticalSection
SetLastError
CreateEventA
ProcessIdToSessionId
GetCurrentProcessId
OpenProcess
InitializeCriticalSection
LoadLibraryA
lstrcmpW
GetModuleFileNameW
HeapAlloc
HeapFree
lstrcpyW
lstrlenA
GetSystemTime
CloseHandle
GetVersionExA
CreateMutexW
GetLastError
InterlockedIncrement
QueryPerformanceCounter

user32

GetDC
GetIconInfo
GetWindowRect
ReleaseDC
GetShellWindow
GetSystemMetrics
DrawIcon
SetRect
wsprintfA
GetCursorInfo
wsprintfW

advapi32

RegEnumKeyExW
GetSidSubAuthorityCount
OpenProcessToken
GetSidSubAuthority
RegCreateKeyW
GetUserNameW
RegCloseKey
RegSetValueExW
GetTokenInformation

shell32

ShellExecuteW

ws2_32

inet_addr
inet_ntoa

winhttp

WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryOption
WinHttpCloseHandle
WinHttpConnect
WinHttpReadData
WinHttpWriteData

avifil32

AVIMakeCompressedStream
AVIFileExit
AVIFileOpenW
AVISaveOptionsFree
AVIStreamWrite
AVIFileCreateStreamA
AVIStreamSetFormat
AVIStreamRelease
AVIFileInit
AVIFileRelease

dnsapi

DnsQuery_A
DnsFree

gdi32

CreateCompatibleDC
SelectObject
DeleteObject
BitBlt
CreateCompatibleBitmap
GetDIBits
GetDeviceCaps
GetObjectA

ole32

CoInitializeEx
CoUninitialize
CoSetProxyBlanket
CoCreateInstance
CreateStreamOnHGlobal

oleaut32

SafeArrayDestroy
SysAllocString
SysFreeString
SafeArrayCreate

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 660B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

a445a7dad8d4af4e2ecce7db38d0d214

Code Sign

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

shell32

ws2_32

winhttp

avifil32

dnsapi

gdi32

ole32

oleaut32

Sections

.text Size: 52KB - Virtual size: 51KB

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 512B - Virtual size: 660B

.bss Size: 3KB - Virtual size: 3KB

.reloc Size: 5KB - Virtual size: 8KB

.text
Size: 52KB - Virtual size: 51KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 660B

.bss
Size: 3KB - Virtual size: 3KB

.reloc
Size: 5KB - Virtual size: 8KB