Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-06-2022 22:23

General

  • Target

    9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe

  • Size

    909KB

  • MD5

    d3b158ba2a81b4ddc15491ec4f7aa64b

  • SHA1

    44f60b8bb5cb309bbdda1197f9d716fe77d831ae

  • SHA256

    9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401

  • SHA512

    77ae26fc01a6243fa4cc02d8dc3aa62ce88b7fbb473ca758ca6e11c9f36d9e3b0278e1bfb1b1802b2d99893b4c19295f75b30baa7429843eb4d7d6d28406d3f7

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD3AfU4ayUEHchQ3H0W1/d3ziW
3
VNCFHWaAm8mJq6hQwn03GNGV7hOICH8h/+dZGEwYWVnRq128QMPZTIj0b+iqHKlM
4
sHzxEIZlWUVvnfbx6unDAC8aJXovmePrPvbHJ1FrplzlbILiPLvofh7pXzTdfcDQ
5
e3wfV7cbxJ3DXessqwIDAQAB
6
-----END PUBLIC KEY-----
serpent.plain
1
8JbpEEfNYPlYoAN4

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
    "C:\Users\Admin\AppData\Local\Temp\9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe"
    1⤵
      PID:2872
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3108
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4116 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4136
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4116 CREDAT:82950 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:424
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5056 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4800
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4744
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4260
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3992
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:376
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4288 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:2612

      Network

      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        106.89.54.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        106.89.54.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • flag-us
        DNS
        devicelease.xyz
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        Remote address:
        8.8.8.8:53
        Request
        devicelease.xyz
        IN A
        Response
      • 93.184.220.29:80
        260 B
        5
      • 8.238.111.254:80
        322 B
        7
      • 51.105.71.136:443
        322 B
        7
      • 8.238.111.254:80
        322 B
        7
      • 8.238.111.254:80
        322 B
        7
      • 8.238.111.254:80
        322 B
        7
      • 204.79.197.203:80
        322 B
        7
      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        61 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        61 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        106.89.54.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        106.89.54.20.in-addr.arpa

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      • 8.8.8.8:53
        devicelease.xyz
        dns
        9f3c9768f9a0105f0642afe9a6b8ed4c99d6fca1a97c4624cf8f1a3d3866a401.exe
        61 B
        126 B
        1
        1

        DNS Request

        devicelease.xyz

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2872-130-0x0000000002220000-0x000000000222C000-memory.dmp

        Filesize

        48KB

      • memory/2872-131-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/2872-132-0x0000000002240000-0x0000000002251000-memory.dmp

        Filesize

        68KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.