gozi_rm3 | 606a5c5f9af86d4a1685a3a4f6d34ca5e6c99dc2e35669befd0091bd2e9747c4

Sharing

Copy URL

Twitter E-mail

General

Target

606a5c5f9af86d4a1685a3a4f6d34ca5e6c99dc2e35669befd0091bd2e9747c4
Size

53KB
MD5

572b7484b78a4d209194ceed7158000e
SHA1

561e75e10e9ebafc94751dab41da4e6b86e5c324
SHA256

606a5c5f9af86d4a1685a3a4f6d34ca5e6c99dc2e35669befd0091bd2e9747c4
SHA512

dfbe028ddfb4360f7735f987a3b2681af7ffb4159b5dbc6333606466dcbd77c58b14586106cdb89cfac36efa1ed42b48f4833b190f009ce9738a870f80d207d0
SSDEEP

1536:sxEQc1fBOwQMqVNPX5b6MWPj4rwbb79NHk1TzLyUPjLe:MEnfAwQMAPp21jei7k9HyUPjL

Score

10^/10

gozi_rm3

Malware Config

Signatures

Gozi_rm3 family
gozi_rm3

Ursnif RM3 loader 1 IoCs

Detected the Ursnif RM3 loader, which is a heavily modified version of the Ursnif one.

resource	yara_rule
sample	ursnif_rm3

Files

606a5c5f9af86d4a1685a3a4f6d34ca5e6c99dc2e35669befd0091bd2e9747c4
.exe windows x86

4c63b68248e142bb0f68f8defc122148

Code Sign

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

sprintf
_snprintf
strchr
strcpy
NtCreateKey
NtDeleteValueKey
RtlInitUnicodeString
NtSetValueKey
memmove
RtlAddVectoredExceptionHandler
RtlRemoveVectoredExceptionHandler
wcstombs
NtQueryInformationToken
_allmul
_aulldiv
NtOpenProcessToken
NtClose
_wcsupr
NtQueryVirtualMemory
_snwprintf
RtlNtStatusToDosError
wcsrchr
NtQueryInformationProcess
mbstowcs
RtlImageNtHeader
wcschr
memcpy
memset
RtlUnwind

shlwapi

StrChrW
StrStrA
StrStrIW
StrChrA
StrStrIA
StrTrimA
ord176
PathCombineW
StrToIntExA

kernel32

CreateWaitableTimerW
GetProcAddress
VirtualAlloc
Sleep
VirtualProtect
WaitForSingleObject
HeapCreate
CreateWaitableTimerA
lstrlenA
SwitchToThread
TlsSetValue
TlsFree
GetModuleHandleA
WaitForMultipleObjects
lstrlenW
SetWaitableTimer
GetSystemTimeAsFileTime
VirtualFree
CreateEventW
CreateMutexW
TlsAlloc
LeaveCriticalSection
EnterCriticalSection
GetLastError
OpenProcess
CloseHandle
TlsGetValue
DeleteCriticalSection
InitializeCriticalSection
lstrcatW
lstrcpyA
ExpandEnvironmentStringsW
InterlockedIncrement
LoadLibraryA
QueryPerformanceFrequency
QueryPerformanceCounter
GetComputerNameW
InterlockedDecrement
lstrcmpW
ProcessIdToSessionId
GetCurrentProcessId
CreateEventA
SetEvent
ResetEvent
GetModuleFileNameW
HeapFree
HeapAlloc
MultiByteToWideChar
lstrcpyW
lstrcatA

user32

wsprintfW
wsprintfA

advapi32

OpenProcessToken
RegEnumKeyExW
GetUserNameW
GetSidSubAuthorityCount
RegCloseKey
GetTokenInformation
GetSidSubAuthority
RegSetValueExW
RegCreateKeyW

shell32

ShellExecuteW

ws2_32

inet_ntoa
inet_addr

winhttp

WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpWriteData
WinHttpReadData
WinHttpConnect
WinHttpQueryOption
WinHttpReceiveResponse
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpSetTimeouts
WinHttpQueryHeaders
WinHttpCloseHandle

dnsapi

DnsQuery_A
DnsFree

ole32

CoInitializeEx
CoUninitialize
CoSetProxyBlanket
CoCreateInstance
CreateStreamOnHGlobal

oleaut32

SysFreeString
SysAllocString
SafeArrayCreate
SafeArrayDestroy

Sections

.text
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4c63b68248e142bb0f68f8defc122148

Code Sign

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

shell32

ws2_32

winhttp

dnsapi

ole32

oleaut32

Sections

.text Size: 40KB - Virtual size: 39KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 620B

.bss Size: 3KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 8KB

.text
Size: 40KB - Virtual size: 39KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 620B

.bss
Size: 3KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 8KB