Overview

overview

10

Static

static

e8c6741d3d...16.exe

windows7_x64

10

e8c6741d3d...16.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

  • Size

    112KB

  • Sample

    220205-z43lcsfeg6

  • MD5

    9a7f87c91bf7e602055a5503e80e2313

  • SHA1

    193f407a2f0c7e1eaa65c54cd9115c418881de42

  • SHA256

    e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

  • SHA512

    d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

Score
10/10
gozi_rm3bankerdiscoverypersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Default\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/294B-5909-31B8-0006-4D08 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/294B-5909-31B8-0006-4D08

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/4D00-C7F9-E141-0006-4699 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/4D00-C7F9-E141-0006-4699

Targets

    • Target

      e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

    • Size

      112KB

    • MD5

      9a7f87c91bf7e602055a5503e80e2313

    • SHA1

      193f407a2f0c7e1eaa65c54cd9115c418881de42

    • SHA256

      e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

    • SHA512

      d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

    Score
    10/10
    gozi_rm3bankerdiscoverypersistenceransomwaretrojan

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks