Overview

overview

10

Static

static

9

06ee38c3c9...3c.exe

windows7_x64

10

06ee38c3c9...3c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06ee38c3c96ce3717fc5589d4843a336544df20f398efc2d4134ba8460fab03c.exe

  • Size

    908KB

  • MD5

    3c29a3c8d2d0a8e634a56688d4fb0d55

  • SHA1

    e39eb1538a1235387873f5828e9e681682bd2113

  • SHA256

    06ee38c3c96ce3717fc5589d4843a336544df20f398efc2d4134ba8460fab03c

  • SHA512

    b4d270e7527f363cf871a18f38f2457c120323436fc2cc580e3201f2614173f281886c68b2905e76bf0c4fc2064d77feebd50e857799a95edb2f2b407a0eb9dd

Score
10/10
gozi_rm3202004141bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06ee38c3c96ce3717fc5589d4843a336544df20f398efc2d4134ba8460fab03c.exe
    "C:\Users\Admin\AppData\Local\Temp\06ee38c3c96ce3717fc5589d4843a336544df20f398efc2d4134ba8460fab03c.exe"
    1⤵
      PID:3356
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4668
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4900
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:82952 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:5012
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4980
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3428
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3428 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:616
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1128
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3268
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3268 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3644

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        Filesize

        1KB

        MD5

        ac8fe9d561e9e7288aecf13f03aea3d1

        SHA1

        2c1f6e6af414d175a886ca62914470bdc4a812da

        SHA256

        cecd911136f3ccbe6f4869cbcbd9fd15b3fa91cd2fd49b9655fa3bcf8e932c05

        SHA512

        1035b16f1633be2d95e6b42bfd0b798fd64bcbfcb397652cf7bf144b253bb8d5fe03618919f57ebdfeb5963dd4d45c6932bf95c43d296d82392fb77c264b4541

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        Filesize

        404B

        MD5

        491f283f1c3f1316cc3bbe35f6635777

        SHA1

        ea650437d9f4c3bbd76c96885355117b4b1ec1f1

        SHA256

        4986f57c1b32394b6f9567d30cac44e4367d48b9fd5670ca0474bce0408053fe

        SHA512

        3aec14d6072bddfb42ee56bf2e7f15e14c70c9fa28e788fde213a8dbdb3daa62444fff11641694ddbbd03a246f4e43c09c8c407a87c453d63253b5dd64957c48

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
        Filesize

        4KB

        MD5

        da597791be3b6e732f0bc8b20e38ee62

        SHA1

        1125c45d285c360542027d7554a5c442288974de

        SHA256

        5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

        SHA512

        d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AWDQ28Q6\favicon[2].ico
        Filesize

        4KB

        MD5

        da597791be3b6e732f0bc8b20e38ee62

        SHA1

        1125c45d285c360542027d7554a5c442288974de

        SHA256

        5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

        SHA512

        d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        Download Submit
      • memory/3356-130-0x00000000006A0000-0x00000000006B1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/3356-136-0x0000000000680000-0x000000000068C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/3356-137-0x0000000000400000-0x00000000004E5000-memory.dmp
        Filesize

        916KB

        Download