Overview

overview

10

Static

static

9

68511f1825...33.exe

windows7_x64

10

68511f1825...33.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    56s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68511f1825391b79c703d63aa23463e920c866ec506ae067014f8226d6366f33.exe

  • Size

    908KB

  • MD5

    7d03263195d980077822bf5b1e8d0b02

  • SHA1

    abae4572f4e7681cd074006775e6c232f03036bc

  • SHA256

    68511f1825391b79c703d63aa23463e920c866ec506ae067014f8226d6366f33

  • SHA512

    4b6ca5c8a13d8a51f8a83a69e973c48590791d8ba36083be8039c26e889f9ac547a62f1f29f496cd35cf3bcd5f46fc5cd1d49df2af18158a47a98b8f6799e345

Score
10/10
gozi_rm3202004141bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68511f1825391b79c703d63aa23463e920c866ec506ae067014f8226d6366f33.exe
    "C:\Users\Admin\AppData\Local\Temp\68511f1825391b79c703d63aa23463e920c866ec506ae067014f8226d6366f33.exe"
    1⤵
      PID:1164
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1144
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275465 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:520
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
        PID:1564
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
          2⤵
            PID:1232
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
            PID:1696

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OIDKHO4K.txt
            Filesize

            599B

            MD5

            9665b9d2f421b5bccf2050dd782670ef

            SHA1

            3640099ee16096f8fc27ce6a11568909ace5063e

            SHA256

            6a62e0105173c8c0e078691be6789ae28e9105251d12c26396409c9af2c92d4f

            SHA512

            5f6ba483659038da33ac068f4d80d9bb9241b9d1f4e520869b5b4b804411fc71c1246734ebc52ae44f20d19474d0ea6f061a9c270ea565049116e35171c6729d

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
            Filesize

            3KB

            MD5

            2240edd7f2001426fdd4ec71a881a03e

            SHA1

            89a6270c6e628de4b8f0e9aa13d498fc57232604

            SHA256

            5bc666ec92f1dcf1d105a990dbb1011dba66bad069f477b1db18cac409fd3429

            SHA512

            2f8a3be7bac6262b8bb4ca08bf44a139cdb10032ae24a16d2627bdaeb88f802ccc59aa5557c8d4c7ad6068d6078f8cdf2b7e28a34caa35a492ff58403706b337

            Download Submit
          • memory/1164-54-0x0000000075D21000-0x0000000075D23000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1164-55-0x0000000000220000-0x000000000022C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/1164-56-0x0000000000400000-0x00000000004E5000-memory.dmp
            Filesize

            916KB

            Download
          • memory/1164-57-0x0000000000240000-0x0000000000251000-memory.dmp
            Filesize

            68KB

            Download