Analysis

  • max time kernel
    179s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 23:24

General

  • Target

    64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe

  • Size

    908KB

  • MD5

    c0058eb7f571ea1a23397c4b8e3f315f

  • SHA1

    cf0e22a2745dc6fcbf77206706ef0c67d40a3b21

  • SHA256

    64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9

  • SHA512

    a48f82597ad34ba480b871d6d0f05dd73a00066387743cd174382b31f82dd8cce5f06eed6fd83fbdda8d7a92fd0d9c9709174e416b366dd2b18b1fb3406e7a77

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD3AfU4ayUEHchQ3H0W1/d3ziW
3
VNCFHWaAm8mJq6hQwn03GNGV7hOICH8h/+dZGEwYWVnRq128QMPZTIj0b+iqHKlM
4
sHzxEIZlWUVvnfbx6unDAC8aJXovmePrPvbHJ1FrplzlbILiPLvofh7pXzTdfcDQ
5
e3wfV7cbxJ3DXessqwIDAQAB
6
-----END PUBLIC KEY-----
serpent.plain
1
8JbpEEfNYPlYoAN4

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
    "C:\Users\Admin\AppData\Local\Temp\64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe"
    1⤵
      PID:3812
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4988
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4624 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4928
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4624 CREDAT:17418 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2924
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:388 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2100
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4996 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3656
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4264 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2448
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3688 CREDAT:17410 /prefetch:2
          2⤵
            PID:2516

        Network

        • flag-us
          DNS
          14.110.152.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.110.152.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • flag-us
          DNS
          devicelease.xyz
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          Remote address:
          8.8.8.8:53
          Request
          devicelease.xyz
          IN A
          Response
        • 209.197.3.8:80
          260 B
          5
        • 104.110.191.133:80
          322 B
          7
        • 104.110.191.133:80
          322 B
          7
        • 52.168.112.66:443
          322 B
          7
        • 209.197.3.8:80
          322 B
          7
        • 209.197.3.8:80
          260 B
          5
        • 2.17.222.14:80
          322 B
          7
        • 8.8.8.8:53
          14.110.152.52.in-addr.arpa
          dns
          72 B
          146 B
          1
          1

          DNS Request

          14.110.152.52.in-addr.arpa

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        • 8.8.8.8:53
          devicelease.xyz
          dns
          64018b323f09aa7b6f94f19b61efbefa91d2fe575c57b9a5ccbf4c90d88991f9.exe
          61 B
          126 B
          1
          1

          DNS Request

          devicelease.xyz

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3812-130-0x0000000000760000-0x0000000000771000-memory.dmp

          Filesize

          68KB

        • memory/3812-137-0x0000000000400000-0x00000000004E5000-memory.dmp

          Filesize

          916KB

        • memory/3812-136-0x0000000000740000-0x000000000074C000-memory.dmp

          Filesize

          48KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.