Overview

overview

10

Static

static

9

431d481368...99.exe

windows7_x64

10

431d481368...99.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    431d481368e7a1811d2631f820bed7d0e69888d6a3bd2834fe80f198adbcfe99.exe

  • Size

    908KB

  • MD5

    7718e635752d71c9ddc2db871c5338dc

  • SHA1

    ee0135969cb3c76fa992706f2844c8e6a202dd2c

  • SHA256

    431d481368e7a1811d2631f820bed7d0e69888d6a3bd2834fe80f198adbcfe99

  • SHA512

    4b2446b5d0aab459b07c31024d515bca90bf09d9b80c63cfb9eed9531866080115c70f723b1d187c293e4ff702632bfa43ee7a6cdb6a22e2bce7a6c057ade586

Score
10/10
gozi_rm3bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\431d481368e7a1811d2631f820bed7d0e69888d6a3bd2834fe80f198adbcfe99.exe
    "C:\Users\Admin\AppData\Local\Temp\431d481368e7a1811d2631f820bed7d0e69888d6a3bd2834fe80f198adbcfe99.exe"
    1⤵
      PID:2012
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1388
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:537611 /prefetch:2
        2⤵
          PID:1540
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
          PID:1804
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:2
            2⤵
              PID:1620
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            1⤵
              PID:620
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:620 CREDAT:275457 /prefetch:2
                2⤵
                  PID:1356

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2012-54-0x00000000765F1000-0x00000000765F3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2012-55-0x0000000000220000-0x000000000022C000-memory.dmp
                Filesize

                48KB

                Download
              • memory/2012-56-0x0000000000400000-0x00000000004E5000-memory.dmp
                Filesize

                916KB

                Download
              • memory/2012-57-0x0000000000240000-0x0000000000251000-memory.dmp
                Filesize

                68KB

                Download