Overview

overview

10

Static

static

9

1097b8ae90...dc.dll

windows7_x64

10

1097b8ae90...dc.dll

windows10-2004_x64

Analysis

  • max time kernel
    151s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-04-2022 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1097b8ae90021f52c731afcc24fe8e70b113be4b9f8b4a517bf79fc8cf6493dc.dll

  • Size

    179KB

  • MD5

    d399683c62c53c0566c69788e0118577

  • SHA1

    c2077a951294db1d81e9dcfa2efaf59f97811f1f

  • SHA256

    1097b8ae90021f52c731afcc24fe8e70b113be4b9f8b4a517bf79fc8cf6493dc

  • SHA512

    9e3feea1538bb86295f692eae3b9da12b99eb65f094d11ee5367e89d6933cb61c5e09854e5858fdaf1032ec439a74582975565501a8c3eefbefb8ea034dbc13b

Score
10/10
gozi_rm393020441bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300930

Extracted

Family

gozi_rm3

Botnet

93020441

C2

https://topactioncam.xyz

Attributes
  • build

    300930

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1097b8ae90021f52c731afcc24fe8e70b113be4b9f8b4a517bf79fc8cf6493dc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1097b8ae90021f52c731afcc24fe8e70b113be4b9f8b4a517bf79fc8cf6493dc.dll,#1
      2⤵
        PID:1760
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:908
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1608
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1820
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1460
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1924

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
      Filesize

      4KB

      MD5

      2aeb925c008b7c4dae5d45f7d19be0b4

      SHA1

      4882717d427930145881e7e0b34b4da2388b1194

      SHA256

      abc2ba6d49a0656bfa52a02809ea7560398e806ad72905dbd7d9ce92837beff4

      SHA512

      ed5b601266a9ef02131ba3c137ba220a1cd45a5b61cb7ebf5c2e00fedf528f687020d18b8f842c77ad2963426a7952e68c4a86f8d3c2686c8468a38717b23315

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
      Filesize

      4KB

      MD5

      2aeb925c008b7c4dae5d45f7d19be0b4

      SHA1

      4882717d427930145881e7e0b34b4da2388b1194

      SHA256

      abc2ba6d49a0656bfa52a02809ea7560398e806ad72905dbd7d9ce92837beff4

      SHA512

      ed5b601266a9ef02131ba3c137ba220a1cd45a5b61cb7ebf5c2e00fedf528f687020d18b8f842c77ad2963426a7952e68c4a86f8d3c2686c8468a38717b23315

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
      Filesize

      4KB

      MD5

      2aeb925c008b7c4dae5d45f7d19be0b4

      SHA1

      4882717d427930145881e7e0b34b4da2388b1194

      SHA256

      abc2ba6d49a0656bfa52a02809ea7560398e806ad72905dbd7d9ce92837beff4

      SHA512

      ed5b601266a9ef02131ba3c137ba220a1cd45a5b61cb7ebf5c2e00fedf528f687020d18b8f842c77ad2963426a7952e68c4a86f8d3c2686c8468a38717b23315

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
      Filesize

      4KB

      MD5

      2aeb925c008b7c4dae5d45f7d19be0b4

      SHA1

      4882717d427930145881e7e0b34b4da2388b1194

      SHA256

      abc2ba6d49a0656bfa52a02809ea7560398e806ad72905dbd7d9ce92837beff4

      SHA512

      ed5b601266a9ef02131ba3c137ba220a1cd45a5b61cb7ebf5c2e00fedf528f687020d18b8f842c77ad2963426a7952e68c4a86f8d3c2686c8468a38717b23315

      Download Submit

    • memory/1760-55-0x0000000075361000-0x0000000075363000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1760-57-0x00000000001D0000-0x00000000001E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1760-56-0x00000000001D0000-0x00000000001E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1760-58-0x0000000000120000-0x000000000012E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1760-59-0x00000000001F0000-0x0000000000202000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1760-65-0x00000000002B0000-0x00000000002B2000-memory.dmp

      Filesize

      8KB

      Download