Overview

overview

10

Static

static

2ba6ac3fcd...bb.exe

windows7_x64

10

2ba6ac3fcd...bb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe

  • Size

    216KB

  • MD5

    cff9274db1f4113dc918a308855591b0

  • SHA1

    263295f3a14ca098b72ed53095a01555d17dcd66

  • SHA256

    2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb

  • SHA512

    49597e5ce8d7f5c6b4a2850f96f3c6eba3b95cb390ec3ecf75722ccff35a0f89668f5ee87ff996de2fd8f61414e7224e66d974abf01a415596420ddccb6459be

Score
10/10
gozi_rm32000bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300768

  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

2000

C2

cdn5.inmax.at

u2.inmax.at

api.fiho.at

t2.fiho.at
Attributes
  • build

    300768

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    350

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Unexpected DNS network traffic destination 16 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe
    "C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe
      "C:\Users\Admin\AppData\Local\Temp\2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb.exe"
      2⤵
        PID:3508

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2736-131-0x0000000000EA0000-0x0000000000EB3000-memory.dmp
      Filesize

      76KB

      Download
    • memory/3508-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3508-132-0x0000000000BB0000-0x0000000000BC1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/3508-138-0x0000000001000000-0x000000000100F000-memory.dmp
      Filesize

      60KB

      Download