Overview

overview

10

Static

static

5238cb4f38...45.exe

windows7_x64

10

5238cb4f38...45.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    23-02-2022 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe

  • Size

    346KB

  • MD5

    4083b0e75f65d672e4ea31a97d5705ab

  • SHA1

    d83783afc8d3c9579f02d2f0fab6f1ec40e117dd

  • SHA256

    5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445

  • SHA512

    b4236b1fa73aae8c319d9a4ff7066ce171d00a975133ec8e1e01893edb3c8143d05cef2997cee5fd95cff03ad7bf4168c473f9ebea16c39dc53eeeb85ff44716

Score
10/10
gozi_rm3bankertrojan

Malware Config

Extracted

Family

gozi_rm3

rsa_pubkey.base64

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe
    "C:\Users\Admin\AppData\Local\Temp\5238cb4f38abf64151df3b85f74084abfc98f54cd6244198ce9d86de579a2445.exe"
    1⤵
      PID:2112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 308
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 348
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2112 -ip 2112
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:3744
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2112 -ip 2112
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:1180

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2112-130-0x00000000006E8000-0x00000000006F9000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2112-131-0x00000000006A0000-0x00000000006AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2112-134-0x00000000006E8000-0x00000000006F9000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2112-135-0x0000000000690000-0x0000000000697000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2112-136-0x0000000001000000-0x000000000100A000-memory.dmp

      Filesize

      40KB

      Download