gozi_rm3 | 2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb

Analysis

max time kernel
141s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe
Size

216KB
MD5

cff9274db1f4113dc918a308855591b0
SHA1

263295f3a14ca098b72ed53095a01555d17dcd66
SHA256

2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb
SHA512

49597e5ce8d7f5c6b4a2850f96f3c6eba3b95cb390ec3ecf75722ccff35a0f89668f5ee87ff996de2fd8f61414e7224e66d974abf01a415596420ddccb6459be

Score

10^/10

gozi_rm3 2000 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300768
exe_type
loader

Extracted

Family

gozi_rm3

Botnet

2000

cdn5.inmax.at

u2.inmax.at

api.fiho.at

t2.fiho.at

Attributes

build
300768
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
350
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	192.71.245.208
Destination IP	172.104.136.243
Destination IP	193.183.98.66
Destination IP	193.183.98.66
Destination IP	51.15.98.97
Destination IP	172.104.136.243
Destination IP	193.183.98.66
Destination IP	51.15.98.97
Destination IP	51.15.98.97
Destination IP	192.71.245.208
Destination IP	192.71.245.208
Destination IP	51.15.98.97
Destination IP	172.104.136.243
Destination IP	193.183.98.66
Destination IP	172.104.136.243
Destination IP	192.71.245.208

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 3508	2736	2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe	80

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2736	2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3508	2736	2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe	80
PID 2736 wrote to memory of 3508	2736	2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe	80
PID 2736 wrote to memory of 3508	2736	2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe	80
PID 2736 wrote to memory of 3508	2736	2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe	80

C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe
"C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe
  "C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe"
  2⤵
  PID:3508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2736-131-0x0000000000EA0000-0x0000000000EB3000-memory.dmp

Filesize
76KB

Download
memory/3508-132-0x0000000000BB0000-0x0000000000BC1000-memory.dmp

Filesize
68KB

Download
memory/3508-138-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads