Overview

overview

10

Static

static

9

339d1ee2a0...fc.exe

windows7_x64

10

339d1ee2a0...fc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    186s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    339d1ee2a0cc5fa4ae29fcf5786c4d39b4566d03107fa70d90ed97d0db634ffc.exe

  • Size

    908KB

  • MD5

    2360d0cb63e652f2859e8e7b2e052fad

  • SHA1

    d350ac06424a7e5cdf9fc1d29474652e2a5c3376

  • SHA256

    339d1ee2a0cc5fa4ae29fcf5786c4d39b4566d03107fa70d90ed97d0db634ffc

  • SHA512

    8bc369c618b688bd1abc063bd5ac8a73bdcb9143e04288b1b151fb909d8066ba8e489ad6c76b290e2f3354023b8f8c1dc48dec58896a3cc4f71f2ad3a848aebe

Score
10/10
gozi_rm3202004141bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\339d1ee2a0cc5fa4ae29fcf5786c4d39b4566d03107fa70d90ed97d0db634ffc.exe
    "C:\Users\Admin\AppData\Local\Temp\339d1ee2a0cc5fa4ae29fcf5786c4d39b4566d03107fa70d90ed97d0db634ffc.exe"
    1⤵
      PID:1044
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:209935 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2004
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:456

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XE1Y778U.txt
      Filesize

      603B

      MD5

      0328f15f2aabbcf3b3ef68b5b3163a37

      SHA1

      6d0d8f68ed13088ac4235f9e3295b088f9f8a6bc

      SHA256

      d67f1be01277861f3484cdcc370529670c158c286b35a50b50cafdbf48a6337f

      SHA512

      b40448cc094dfdfb85fe59fcf0e4b5d1fe3fc0f6703f11ad5819590de3c249a80b3a303411032fa4134f62fe7ebcbfc05006e9bcd653b3dccbd8f6c662edc415

      Download Submit

    • memory/1044-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1044-55-0x0000000000220000-0x000000000022C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1044-56-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/1044-57-0x0000000000240000-0x0000000000251000-memory.dmp

      Filesize

      68KB

      Download