Analysis

  • max time kernel
    164s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 23:04

General

  • Target

    f5858eedfbb9ea4d4a85a242434baff7a16719b59067c2ad4f77fe502448a9a3.exe

  • Size

    908KB

  • MD5

    ab176508b14b173f65e1d01000412a3b

  • SHA1

    deb953532953afb80f0d73f8543fb91f7fdbe312

  • SHA256

    f5858eedfbb9ea4d4a85a242434baff7a16719b59067c2ad4f77fe502448a9a3

  • SHA512

    791aa57f7ac690360478ddb0dd2a3f309dce812d9f387282fec3fee1e5132d48e7db66f36e072641f06ca548e731e4109077acbc1b7cb678d29149aa63511601

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD3AfU4ayUEHchQ3H0W1/d3ziW
3
VNCFHWaAm8mJq6hQwn03GNGV7hOICH8h/+dZGEwYWVnRq128QMPZTIj0b+iqHKlM
4
sHzxEIZlWUVvnfbx6unDAC8aJXovmePrPvbHJ1FrplzlbILiPLvofh7pXzTdfcDQ
5
e3wfV7cbxJ3DXessqwIDAQAB
6
-----END PUBLIC KEY-----
serpent.plain
1
8JbpEEfNYPlYoAN4

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5858eedfbb9ea4d4a85a242434baff7a16719b59067c2ad4f77fe502448a9a3.exe
    "C:\Users\Admin\AppData\Local\Temp\f5858eedfbb9ea4d4a85a242434baff7a16719b59067c2ad4f77fe502448a9a3.exe"
    1⤵
      PID:3484
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3812
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5004 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4076
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5004 CREDAT:82950 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1068
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3660 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4656
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4416
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4416 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1016
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3100 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1960
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4608
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4608 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:2852
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1068
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1068 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4708

      Network

      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
        IN PTR
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        storesdk.dsx.mp.microsoft.com
        Remote address:
        8.8.8.8:53
        Request
        storesdk.dsx.mp.microsoft.com
        IN A
        Response
        storesdk.dsx.mp.microsoft.com
        IN CNAME
        storesdk.xbetservices.akadns.net
        storesdk.xbetservices.akadns.net
        IN CNAME
        storesdk.dsx.mp.microsoft.com.edgekey.net
        storesdk.dsx.mp.microsoft.com.edgekey.net
        IN CNAME
        e16646.g.akamaiedge.net
        e16646.g.akamaiedge.net
        IN A
        2.18.109.224
      • flag-fr
        GET
        https://storesdk.dsx.mp.microsoft.com/v8.0/Sdk/products/contentId?market=US&locale=en-US&languages=en-US&deviceFamily=Windows.Desktop&productIds=9NXQXXLFST89&parentProductId=
        Remote address:
        2.18.109.224:443
        Request
        GET /v8.0/Sdk/products/contentId?market=US&locale=en-US&languages=en-US&deviceFamily=Windows.Desktop&productIds=9NXQXXLFST89&parentProductId= HTTP/1.1
        Accept-Encoding: gzip, deflate
        MS-CV: Drr3i1yLFUyw7DLy.3.3.1.2
        User-Agent: WindowsStoreSDK
        Host: storesdk.dsx.mp.microsoft.com
        Connection: Keep-Alive
        Cookie: _EDGE_V=1; MUID=2EE81D958D766944205E0C138CB168D8
        Response
        HTTP/1.1 200 OK
        Cache-Control: no-cache
        Content-Length: 144
        Content-Type: application/json; charset=utf-8
        Server: Microsoft-HTTPAPI/2.0
        X-OSG-Served-By: Torus-WESTEUROPE_Legacy00000B_1.0.0.0
        MS-CV: Drr3i1yLFUyw7DLy.3.3.1.2.1
        Date: Tue, 24 May 2022 23:06:13 GMT
        Connection: keep-alive
      • flag-fr
        GET
        https://storesdk.dsx.mp.microsoft.com/v8.0/Sdk/products/contentId?market=US&locale=en-US&languages=en-US&deviceFamily=Windows.Desktop&productIds=9NCBCSZSJRSB&parentProductId=
        Remote address:
        2.18.109.224:443
        Request
        GET /v8.0/Sdk/products/contentId?market=US&locale=en-US&languages=en-US&deviceFamily=Windows.Desktop&productIds=9NCBCSZSJRSB&parentProductId= HTTP/1.1
        Accept-Encoding: gzip, deflate
        MS-CV: Drr3i1yLFUyw7DLy.7.3.1.2
        User-Agent: WindowsStoreSDK
        Host: storesdk.dsx.mp.microsoft.com
        Connection: Keep-Alive
        Cookie: _EDGE_V=1; MUID=2EE81D958D766944205E0C138CB168D8
        Response
        HTTP/1.1 200 OK
        Cache-Control: no-cache
        Content-Length: 144
        Content-Type: application/json; charset=utf-8
        Server: Microsoft-HTTPAPI/2.0
        X-OSG-Served-By: Torus-WESTEUROPE_Legacy00000B_1.0.0.0
        MS-CV: Drr3i1yLFUyw7DLy.7.3.1.2.1
        Date: Tue, 24 May 2022 23:06:22 GMT
        Connection: keep-alive
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        store-images.s-microsoft.com
        Remote address:
        8.8.8.8:53
        Request
        store-images.s-microsoft.com
        IN A
        Response
        store-images.s-microsoft.com
        IN CNAME
        store-images.s-microsoft.com-c.edgekey.net
        store-images.s-microsoft.com-c.edgekey.net
        IN CNAME
        e12564.dspb.akamaiedge.net
        e12564.dspb.akamaiedge.net
        IN A
        104.123.41.133
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        store-images.s-microsoft.com
        Remote address:
        8.8.8.8:53
        Request
        store-images.s-microsoft.com
        IN A
        Response
        store-images.s-microsoft.com
        IN CNAME
        store-images.s-microsoft.com-c.edgekey.net
        store-images.s-microsoft.com-c.edgekey.net
        IN CNAME
        e12564.dspb.akamaiedge.net
        e12564.dspb.akamaiedge.net
        IN A
        104.123.41.133
      • flag-nl
        GET
        http://store-images.s-microsoft.com/image/apps.20893.13571498826857201.00a9d390-581f-492c-b148-b2ce81649480.acc28f88-50de-4aaf-abfc-ad1da8b04cd0
        Remote address:
        104.123.41.133:80
        Request
        GET /image/apps.20893.13571498826857201.00a9d390-581f-492c-b148-b2ce81649480.acc28f88-50de-4aaf-abfc-ad1da8b04cd0 HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Install Service
        Host: store-images.s-microsoft.com
        Response
        HTTP/1.1 200 OK
        Cache-Control: public, max-age=7776000, s-maxage=7776000
        Content-Type: image/png
        Last-Modified: Mon, 30 Aug 2021 15:07:35 GMT
        Accept-Ranges: none
        ETag: W/"gEDUIDB4OEQ5NkJDN0U2NjEyRjlF"
        MS-CV: h3JZN5MPwkaTwSf4.0
        Access-Control-Expose-Headers: MS-CV
        Content-Length: 2626
        Date: Tue, 24 May 2022 23:07:39 GMT
        Connection: keep-alive
        Access-Control-Allow-Origin: *
      • 3.22.30.40:17455
        46 B
        40 B
        1
        1
      • 52.109.76.31:443
        40 B
        1
      • 20.54.110.249:443
        46 B
        1
      • 2.18.109.224:443
        https://storesdk.dsx.mp.microsoft.com/v8.0/Sdk/products/contentId?market=US&locale=en-US&languages=en-US&deviceFamily=Windows.Desktop&productIds=9NCBCSZSJRSB&parentProductId=
        tls, http
        1.8kB
        8.0kB
        15
        14

        HTTP Request

        GET https://storesdk.dsx.mp.microsoft.com/v8.0/Sdk/products/contentId?market=US&locale=en-US&languages=en-US&deviceFamily=Windows.Desktop&productIds=9NXQXXLFST89&parentProductId=

        HTTP Response

        200

        HTTP Request

        GET https://storesdk.dsx.mp.microsoft.com/v8.0/Sdk/products/contentId?market=US&locale=en-US&languages=en-US&deviceFamily=Windows.Desktop&productIds=9NCBCSZSJRSB&parentProductId=

        HTTP Response

        200
      • 104.123.41.133:80
        store-images.s-microsoft.com
        260 B
        5
      • 104.123.41.133:80
        http://store-images.s-microsoft.com/image/apps.20893.13571498826857201.00a9d390-581f-492c-b148-b2ce81649480.acc28f88-50de-4aaf-abfc-ad1da8b04cd0
        http
        445 B
        3.2kB
        5
        5

        HTTP Request

        GET http://store-images.s-microsoft.com/image/apps.20893.13571498826857201.00a9d390-581f-492c-b148-b2ce81649480.acc28f88-50de-4aaf-abfc-ad1da8b04cd0

        HTTP Response

        200
      • 104.123.41.133:80
        store-images.s-microsoft.com
        156 B
        3
      • 2.18.109.224:443
        storesdk.dsx.mp.microsoft.com
        tls
        92 B
        111 B
        2
        2
      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
        dns
        118 B
        204 B
        1
        1

        DNS Request

        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        storesdk.dsx.mp.microsoft.com
        dns
        75 B
        223 B
        1
        1

        DNS Request

        storesdk.dsx.mp.microsoft.com

        DNS Response

        2.18.109.224

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        store-images.s-microsoft.com
        dns
        74 B
        183 B
        1
        1

        DNS Request

        store-images.s-microsoft.com

        DNS Response

        104.123.41.133

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        IEXPLORE.EXE
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        store-images.s-microsoft.com
        dns
        74 B
        183 B
        1
        1

        DNS Request

        store-images.s-microsoft.com

        DNS Response

        104.123.41.133

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3484-130-0x0000000000650000-0x0000000000661000-memory.dmp

        Filesize

        68KB

      • memory/3484-137-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/3484-136-0x0000000000630000-0x000000000063C000-memory.dmp

        Filesize

        48KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.