Overview

overview

10

Static

static

9

cadb1eee73...ae.exe

windows7_x64

10

cadb1eee73...ae.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cadb1eee7384345e0b027f1fdac079cc34f23cf48052a7c858a0cb6644b636ae.exe

  • Size

    250KB

  • MD5

    59b7e63f87329d52cf74e10f148cde0b

  • SHA1

    be354ec7ab8b33061a2fa8f0b8d84274376dd22d

  • SHA256

    cadb1eee7384345e0b027f1fdac079cc34f23cf48052a7c858a0cb6644b636ae

  • SHA512

    7e8d976177965048fb39e09f7bec7ba75ca3c7f6559d62e59d1f28ee36683be010c53b59d5e9183f663dc03f43748c0dbc78121a24e60abd12aaecb4b4f473b7

Score
10/10
gozi_rm390420251bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300904

Extracted

Family

gozi_rm3

Botnet

90420251

C2

https://vvietnamnews.xyz

Attributes
  • build

    300904

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cadb1eee7384345e0b027f1fdac079cc34f23cf48052a7c858a0cb6644b636ae.exe
    "C:\Users\Admin\AppData\Local\Temp\cadb1eee7384345e0b027f1fdac079cc34f23cf48052a7c858a0cb6644b636ae.exe"
    1⤵
      PID:4692
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4136
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3508 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1988
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1352
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4832 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4304
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:3768
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4940
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3324 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4616
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4744 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4492
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4648
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4648 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4968

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4692-130-0x00000000021A0000-0x00000000021C8000-memory.dmp
        Filesize

        160KB

        Download
      • memory/4692-131-0x0000000000400000-0x000000000043F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4692-132-0x0000000002170000-0x0000000002187000-memory.dmp
        Filesize

        92KB

        Download