gozi_rm3 | 82b427884a39fd1b2476603efbf8df2f2d8c5d24b4335b9824779b84ddc95ce7

Sharing

Copy URL

Twitter E-mail

General

Target

82b427884a39fd1b2476603efbf8df2f2d8c5d24b4335b9824779b84ddc95ce7
Size

53KB
MD5

da95ea96dc4029e73b292b91e493e9d7
SHA1

11bf7fb66852f2cd4555b0a4b30b42fe7f0c25d9
SHA256

82b427884a39fd1b2476603efbf8df2f2d8c5d24b4335b9824779b84ddc95ce7
SHA512

3b3c1b0a9d9d13a439af5946ef1ff5014e1217e7efda9815355103d5bcae3dfc4b2218e7f658355e74c3dc0ecd689fcdb9f730d5d2c6f4b00384e16b662932dd
SSDEEP

1536:DxEQc1fBOwQMqVNPX5b6MWPj4rwbb79NHk1TzLyUPjLe:lEnfAwQMAPp21jei7k9HyUPjL

Score

10^/10

gozi_rm3

Malware Config

Signatures

Gozi_rm3 family
gozi_rm3

Ursnif RM3 loader 1 IoCs

Detected the Ursnif RM3 loader, which is a heavily modified version of the Ursnif one.

resource	yara_rule
sample	ursnif_rm3

Files

82b427884a39fd1b2476603efbf8df2f2d8c5d24b4335b9824779b84ddc95ce7
.exe windows x86

4c63b68248e142bb0f68f8defc122148

Code Sign

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

sprintf
_snprintf
strchr
strcpy
NtCreateKey
NtDeleteValueKey
RtlInitUnicodeString
NtSetValueKey
memmove
RtlAddVectoredExceptionHandler
RtlRemoveVectoredExceptionHandler
wcstombs
NtQueryInformationToken
_allmul
_aulldiv
NtOpenProcessToken
NtClose
_wcsupr
NtQueryVirtualMemory
_snwprintf
RtlNtStatusToDosError
wcsrchr
NtQueryInformationProcess
mbstowcs
RtlImageNtHeader
wcschr
memcpy
memset
RtlUnwind

shlwapi

StrChrW
StrStrA
StrStrIW
StrChrA
StrStrIA
StrTrimA
ord176
PathCombineW
StrToIntExA

kernel32

CreateWaitableTimerW
GetProcAddress
VirtualAlloc
Sleep
VirtualProtect
WaitForSingleObject
HeapCreate
CreateWaitableTimerA
lstrlenA
SwitchToThread
TlsSetValue
TlsFree
GetModuleHandleA
WaitForMultipleObjects
lstrlenW
SetWaitableTimer
GetSystemTimeAsFileTime
VirtualFree
CreateEventW
CreateMutexW
TlsAlloc
LeaveCriticalSection
EnterCriticalSection
GetLastError
OpenProcess
CloseHandle
TlsGetValue
DeleteCriticalSection
InitializeCriticalSection
lstrcatW
lstrcpyA
ExpandEnvironmentStringsW
InterlockedIncrement
LoadLibraryA
QueryPerformanceFrequency
QueryPerformanceCounter
GetComputerNameW
InterlockedDecrement
lstrcmpW
ProcessIdToSessionId
GetCurrentProcessId
CreateEventA
SetEvent
ResetEvent
GetModuleFileNameW
HeapFree
HeapAlloc
MultiByteToWideChar
lstrcpyW
lstrcatA

user32

wsprintfW
wsprintfA

advapi32

OpenProcessToken
RegEnumKeyExW
GetUserNameW
GetSidSubAuthorityCount
RegCloseKey
GetTokenInformation
GetSidSubAuthority
RegSetValueExW
RegCreateKeyW

shell32

ShellExecuteW

ws2_32

inet_ntoa
inet_addr

winhttp

WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpWriteData
WinHttpReadData
WinHttpConnect
WinHttpQueryOption
WinHttpReceiveResponse
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpSetTimeouts
WinHttpQueryHeaders
WinHttpCloseHandle

dnsapi

DnsQuery_A
DnsFree

ole32

CoInitializeEx
CoUninitialize
CoSetProxyBlanket
CoCreateInstance
CreateStreamOnHGlobal

oleaut32

SysFreeString
SysAllocString
SafeArrayCreate
SafeArrayDestroy

Sections

.text
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4c63b68248e142bb0f68f8defc122148

Code Sign

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

shell32

ws2_32

winhttp

dnsapi

ole32

oleaut32

Sections

.text Size: 40KB - Virtual size: 39KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 620B

.bss Size: 3KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 8KB

.text
Size: 40KB - Virtual size: 39KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 620B

.bss
Size: 3KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 8KB