Overview

overview

10

Static

static

b32e9a565a...e8.exe

windows7_x64

10

b32e9a565a...e8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    179s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 21:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b32e9a565a0139fff78d5f6359d4f4a43116cce38cffdda7ca06ce34c44600e8.exe

  • Size

    619KB

  • MD5

    3a41068fa1d29a0c776c49ed5e3ea9a7

  • SHA1

    f825503879b1cf0812416c9d3b625093b4ebac9a

  • SHA256

    b32e9a565a0139fff78d5f6359d4f4a43116cce38cffdda7ca06ce34c44600e8

  • SHA512

    0fe7e9a57647ccd74f54ee88e15d206cb8bac8bf4ac064182e6445dd19405c6a601083fd931ea04843a311768a260c451c7486a36d3499beb84d09acfc5fdfc9

Score
10/10
gozi_rm390020242bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300900

Extracted

Family

gozi_rm3

Botnet

90020242

C2

https://vrhgroups.xyz

Attributes
  • build

    300900

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b32e9a565a0139fff78d5f6359d4f4a43116cce38cffdda7ca06ce34c44600e8.exe
    "C:\Users\Admin\AppData\Local\Temp\b32e9a565a0139fff78d5f6359d4f4a43116cce38cffdda7ca06ce34c44600e8.exe"
    1⤵
      PID:2396
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3572
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4224
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3128
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3760
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2988
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1984
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3900
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3696

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
        Filesize

        7KB

        MD5

        5c1113b7526a7723b64400d44129fa78

        SHA1

        af1b7813ad3e00d4699e5514a77984d5b423b757

        SHA256

        9ecc27c740862ab2712da2c4ff31592e2c0a8643576e64551ee344a73fbe2494

        SHA512

        4b47b9886884bc1eb0651c53eb1805922b2889d42076665bbd9f4b818d54c1bc86956e79cdc254c847b83640373b22a77f9bed9987fbd58c9104bca807a2d2d7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
        Filesize

        226B

        MD5

        df2f811d577b427a5d74169d0bf1a8d2

        SHA1

        288746064fa5ac4b756914dfba33335bb3ce8855

        SHA256

        9d9f5d17298e74fee20c3db5a70c0fed4c51bc1b5cf9b7bfa878b445736975af

        SHA512

        aa5cbbb4d315797ad49acc6d06f1f9175cee45f49a9e5554a69bdd861329e06a42bb8a7b31bf2ad6801e821f2d5f0e3b4953616032650c45fef2f90f5810a3a1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
        Filesize

        4KB

        MD5

        da597791be3b6e732f0bc8b20e38ee62

        SHA1

        1125c45d285c360542027d7554a5c442288974de

        SHA256

        5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

        SHA512

        d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DNOBF6Z3\favicon[1].ico
        Filesize

        4KB

        MD5

        da597791be3b6e732f0bc8b20e38ee62

        SHA1

        1125c45d285c360542027d7554a5c442288974de

        SHA256

        5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

        SHA512

        d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        Download Submit

      • memory/2396-130-0x0000000000560000-0x0000000000588000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2396-131-0x0000000000400000-0x000000000049B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/2396-132-0x00000000005C0000-0x00000000005D6000-memory.dmp

        Filesize

        88KB

        Download