Overview

overview

10

Static

static

EWHxeQ.exe

windows7_x64

10

EWHxeQ.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294217s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    15-03-2022 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EWHxeQ.exe

  • Size

    252KB

  • MD5

    aa9e193908e16757ca1803d25f3b65d6

  • SHA1

    1bd752e969771db5af1ffbf7ebe956dd8fefe040

  • SHA256

    c8ac98c4e43e4290cdaefce51ebf9165143c31d3fbce0f9f80cf5a3258058c4a

  • SHA512

    5a8157caa8b8639733b1f9159b15212b7818ae52431e45134e4db9282121737bceed192d4a68adce41d971a1e4bf807a2401f951d4c1400ff58ee40fcb96ffad

Score
10/10
gozi_rm3bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

  • exe_type

    loader

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EWHxeQ.exe
    "C:\Users\Admin\AppData\Local\Temp\EWHxeQ.exe"
    1⤵
      PID:1640
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:620 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:612

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1640-54-0x000000000038E000-0x0000000000399000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1640-55-0x00000000750C1000-0x00000000750C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1640-56-0x0000000000230000-0x0000000000240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1640-62-0x000000000038E000-0x0000000000399000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1640-63-0x0000000000220000-0x000000000022C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1640-64-0x0000000001000000-0x000000000106F000-memory.dmp

      Filesize

      444KB

      Download

    • memory/1640-65-0x00000000002E0000-0x00000000002E2000-memory.dmp

      Filesize

      8KB

      Download