gozi_rm3 | ae0db078941deba2dabb864d39c233052e824804f8557c88b73db08c97220826

General

Target

ae0db078941deba2dabb864d39c233052e824804f8557c88b73db08c97220826.exe
Size

619KB
MD5

c37cdf3c7642208dc267403ecf2c1458
SHA1

3068b1cc4f5f3a1c7c6b99a29db602d9a1a4df96
SHA256

ae0db078941deba2dabb864d39c233052e824804f8557c88b73db08c97220826
SHA512

5b239357e049627dc5ffebb0fa4db558b24ee9c3d18a1a5f19e3dc6dcaa425068e67be4615e7b343139d849eedd6764ad9653fb0f8d9f0e7e5fc3fe1084f7d9f

Score

10^/10

gozi_rm3 90020242 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300900
exe_type
loader

Extracted

Family

gozi_rm3

Botnet

90020242

C2

https://vrhgroups.xyz

Attributes

build
300900
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{32170477-DBBE-11EC-AC67-7E7E0F8D8E49} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5068	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5068	iexplore.exe
5068	iexplore.exe
4408	IEXPLORE.EXE
4408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4408	5068	iexplore.exe	85
PID 5068 wrote to memory of 4408	5068	iexplore.exe	85
PID 5068 wrote to memory of 4408	5068	iexplore.exe	85

C:\Users\Admin\AppData\Local\Temp\ae0db078941deba2dabb864d39c233052e824804f8557c88b73db08c97220826.exe
"C:\Users\Admin\AppData\Local\Temp\ae0db078941deba2dabb864d39c233052e824804f8557c88b73db08c97220826.exe"
1⤵
PID:2992

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5068 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:3192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3192 CREDAT:17410 /prefetch:2
  2⤵
  PID:1052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:4832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4832 CREDAT:17410 /prefetch:2
  2⤵
  PID:824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1928
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:17410 /prefetch:2
  2⤵
  PID:8

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1460
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:17410 /prefetch:2
  2⤵
  PID:1940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:4128
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4128 CREDAT:17410 /prefetch:2
  2⤵
  PID:4516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:17410 /prefetch:2
  2⤵
  PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
072f65462640dba30c97f2291ed9e5e2

SHA1
4a0f211dea0969b961ec9b55e23c23588d811d21

SHA256
37ebee95068a13b2b8649ca81afb2475e3c71b4c7d9e6adeb90cd7f9d59d804f

SHA512
fe6483e55a807263c986f4c4060d8543b3793da655fbcc05d34c9a3093f5f0c145d458c139efeaebb1808d68ff03260df53e798fbbdeafd4de0a7e6d44cc056c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
434B

MD5
3a62a0c5074ac84fb8ad3addacb03507

SHA1
a8edd42036cd30a00f59657e6953afed0b19529d

SHA256
c0689fe67ce0394a7d58ffd019b725241dcda01f3ea5c5d32c0ed30f9f6616c0

SHA512
fa2452e978b7856c3f52ec2a358519f33a8a7343fd1c584d5b154d4ba9fdef629c2bbc73d41db3e8ef252a2f8f3395c37d57f9de290289f7ed958faebb43a667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DNOBF6Z3\favicon[1].ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
memory/2992-130-0x0000000002230000-0x0000000002246000-memory.dmp

Filesize
88KB

Download
memory/2992-136-0x00000000021D0000-0x00000000021F8000-memory.dmp

Filesize
160KB

Download
memory/2992-137-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads