Overview

overview

10

Static

static

XqBTvE.exe

windows7_x64

10

XqBTvE.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    15-03-2022 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XqBTvE.exe

  • Size

    252KB

  • MD5

    defe731e1ca1092c08e5edd84404ed21

  • SHA1

    9c68ffba054067f51fbb172bc00d835e0014a073

  • SHA256

    ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24

  • SHA512

    08f11f749847f0579b3e92502789bdabfb049f3fea304c0ff1affbed3a45b7ca7a2c88594ad0ec608c2495c6ef95906305a9cae102d9dc617929750ece7f63ba

Score
10/10
gozi_rm3bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 21 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe
    "C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe"
    1⤵
      PID:3652
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3988
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          PID:5060

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3652-134-0x00000000004CD000-0x00000000004D9000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3652-135-0x00000000004CD000-0x00000000004D9000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3652-136-0x0000000000D20000-0x0000000000D2C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3652-137-0x0000000001000000-0x000000000106F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/3652-138-0x0000000000D30000-0x0000000000D40000-memory.dmp

        Filesize

        64KB

        Download