Overview

overview

10

Static

static

10

4504589a3c...ee.exe

windows7_x64

10

4504589a3c...ee.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4504589a3c5e796d03e2e3d702741e195607d2b8c0c14a4108c2124ed04c83ee.exe

  • Size

    42KB

  • MD5

    ea16aa021efc02a6021a341df53ef7cc

  • SHA1

    adeb29160439cdeca0519fbd7ae037be915c0fa2

  • SHA256

    4504589a3c5e796d03e2e3d702741e195607d2b8c0c14a4108c2124ed04c83ee

  • SHA512

    7e91e477b0c58072962fb3c7c3b847585da06a3a0517d3a7c220d4d7efdeb6d1435cad4bd276c764aed2470fbfaba0aff2f5f600963ead529cb1549c4ac5cfec

Score
10/10
gozi_rm3202004021bankerpersistencetrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

202004021

C2

https://prlottonews.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Sets service image path in registry 2 TTPs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4504589a3c5e796d03e2e3d702741e195607d2b8c0c14a4108c2124ed04c83ee.exe
    "C:\Users\Admin\AppData\Local\Temp\4504589a3c5e796d03e2e3d702741e195607d2b8c0c14a4108c2124ed04c83ee.exe"
    1⤵
      PID:1132
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3872
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:224 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1324
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:224 CREDAT:82950 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1792
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
        1⤵
          PID:3008
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 68ace67f09a2ef0491221e8a7cb24568 /MdMpPJ1D06TDUBVvcW6ng.0.1.0.0.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:1912

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1132-130-0x00000000001C0000-0x00000000001D1000-memory.dmp

          Filesize

          68KB

          Download