gozi_rm3 | 33f02815a25172b12a516e72ea50eb8ca40630bd74f63941020848888cbe1ea8

General

Target

33f02815a25172b12a516e72ea50eb8ca40630bd74f63941020848888cbe1ea8.exe
Size

462KB
MD5

dad32a0cd14d8b4244a9df1cc9c82185
SHA1

6a00cf1e4026a7403eaf5ca328b63c417308c4df
SHA256

33f02815a25172b12a516e72ea50eb8ca40630bd74f63941020848888cbe1ea8
SHA512

c54d2495e0e65b6bd45f2407ef2fc9ae7a63884b362eaba0ce67023f6dce8be3ef97448f34ed1be09e5e9713f03d4d8e2b4719d2158df1b9891df0f6f1c72c8b

Score

10^/10

gozi_rm3 89820235 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300898
exe_type
loader

Extracted

Family

gozi_rm3

Botnet

89820235

C2

https://exeupay.xyz

Attributes

build
300898
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E46DFF86-DBC5-11EC-B274-7E9F925D3B67} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4320	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4320	iexplore.exe
4320	iexplore.exe
4272	IEXPLORE.EXE
4272	IEXPLORE.EXE
4320	iexplore.exe
4320	iexplore.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4272	4320	iexplore.exe	85
PID 4320 wrote to memory of 4272	4320	iexplore.exe	85
PID 4320 wrote to memory of 4272	4320	iexplore.exe	85
PID 4320 wrote to memory of 1040	4320	iexplore.exe	90
PID 4320 wrote to memory of 1040	4320	iexplore.exe	90
PID 4320 wrote to memory of 1040	4320	iexplore.exe	90

C:\Users\Admin\AppData\Local\Temp\33f02815a25172b12a516e72ea50eb8ca40630bd74f63941020848888cbe1ea8.exe
"C:\Users\Admin\AppData\Local\Temp\33f02815a25172b12a516e72ea50eb8ca40630bd74f63941020848888cbe1ea8.exe"
1⤵
PID:1964

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4320 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4320 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:1040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:17410 /prefetch:2
  2⤵
  PID:4836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1380
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:17410 /prefetch:2
  2⤵
  PID:3256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:2
  2⤵
  PID:756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:4252
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4252 CREDAT:17410 /prefetch:2
  2⤵
  PID:3416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:4440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:17410 /prefetch:2
  2⤵
  PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-130-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1964-137-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1964-136-0x0000000002090000-0x00000000020B8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads