Analysis
-
max time kernel
55s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 00:08
Static task
static1
Behavioral task
behavioral1
Sample
89cb0c7c835e9a8f77e78f26c0ee38f83bf9da8b31dcd08ed9326fdd3958f534.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
89cb0c7c835e9a8f77e78f26c0ee38f83bf9da8b31dcd08ed9326fdd3958f534.exe
-
Size
619KB
-
MD5
f243b66901d4a69ded543d8bd4bc8db5
-
SHA1
603f66c0f68441528fe1ab7b39d1023fef266c3d
-
SHA256
89cb0c7c835e9a8f77e78f26c0ee38f83bf9da8b31dcd08ed9326fdd3958f534
-
SHA512
f092cb8565f0d346025b7e70069a8c218e07f07f151a6a37c624f63baf71bd46e00bfef6225722d5c2128de8fd397111d485036d1545cd07530d6b4fb5fe6ff7
Malware Config
Extracted
Family
gozi_rm3
Attributes
-
build
300900
-
exe_type
loader
Extracted
Family
gozi_rm3
Botnet
90020242
C2
https://vrhgroups.xyz
Attributes
-
build
300900
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnLBIFd8ENlbWBR6Mve3hFdwUQ
3
KngeHDeI6ZHfdoSY5iiGvcAu6O6F+f9hBJzYA9LsJqVLMvXTQMahO053kuqc9pRN
4
TJW6SoyOgLPfMhl5Q2+9qBvWUQzDH3vbOrJD0p79sTnfsMikRQ6+wVQ9+g++o28i
5
eNAgaJpU4bqwW1JmawIDAQAB
6
-----END PUBLIC KEY-----
serpent.plain
1
GixufGwVe0SpF7gm
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{443F1FAC-DBD0-11EC-B274-C6557A73C573} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4804 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4804 iexplore.exe 4804 iexplore.exe 3504 IEXPLORE.EXE 3504 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4804 wrote to memory of 3504 4804 iexplore.exe 80 PID 4804 wrote to memory of 3504 4804 iexplore.exe 80 PID 4804 wrote to memory of 3504 4804 iexplore.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\89cb0c7c835e9a8f77e78f26c0ee38f83bf9da8b31dcd08ed9326fdd3958f534.exe"C:\Users\Admin\AppData\Local\Temp\89cb0c7c835e9a8f77e78f26c0ee38f83bf9da8b31dcd08ed9326fdd3958f534.exe"1⤵PID:3600
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:4812
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4804 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵PID:2988
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:17410 /prefetch:22⤵PID:4068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵PID:2640
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:17410 /prefetch:22⤵PID:2608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵PID:1572
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1572 CREDAT:17410 /prefetch:22⤵PID:1912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵PID:2332
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:17410 /prefetch:22⤵PID:4988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵PID:1036
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:17410 /prefetch:22⤵PID:400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵PID:1648
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:17410 /prefetch:22⤵PID:2076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵PID:3880
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3880 CREDAT:17410 /prefetch:22⤵PID:3504
-
Network
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Request15.89.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Request14.110.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestvrhgroups.xyzIN AResponse
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
70 B 156 B 1 1
DNS Request
15.89.54.20.in-addr.arpa
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
72 B 146 B 1 1
DNS Request
14.110.152.52.in-addr.arpa
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz
-
59 B 124 B 1 1
DNS Request
vrhgroups.xyz