Overview

overview

10

Static

static

8f5be0af93...57.exe

windows7_x64

10

8f5be0af93...57.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

  • Size

    112KB

  • Sample

    220205-z96j7sfgep

  • MD5

    65977152d62265c0f46751874bd45767

  • SHA1

    3b6aaf8ab4eb82062780202248aad45b916376ab

  • SHA256

    8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

  • SHA512

    c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

Score
10/10
gozi_rm3bankerdiscoverypersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/0C1C-257D-7431-0006-422B 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/0C1C-257D-7431-0006-422B

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/865A-5B5E-921E-0006-4B9D 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/865A-5B5E-921E-0006-4B9D

Targets

    • Target

      8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

    • Size

      112KB

    • MD5

      65977152d62265c0f46751874bd45767

    • SHA1

      3b6aaf8ab4eb82062780202248aad45b916376ab

    • SHA256

      8f5be0af938a91d520c9ad6454e4eb8e562d236c6cdaae9cecfe04b28e37f857

    • SHA512

      c36f317b7229139f9abaa1cf17b50699d3cab630b95d2fb9b59960c14d2843484378c60bd28bf841f229d23b889e180c278f007fd088948e2535e38cb2a782bb

    Score
    10/10
    gozi_rm3bankerdiscoverypersistenceransomwaretrojan

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks