gozi_rm3 | 3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78

General

Target

3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
Size

751KB
MD5

c81f71163fbe9c29bf34ad33e1678cad
SHA1

f49416d11f6b88cd918567f0a5edbab0376b03b6
SHA256

3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78
SHA512

710a776f0e74b97a94cdab4606f5d923034b2cdcf22be5beab6addd7a56d9d02a389fbf2d01c94aa1a78c0ae081dbfde1c792c579fe4f77c6f03830f28712d5c

Score

10^/10

gozi_rm3 banker persistence trojan

Malware Config

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "110"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0065a62988ed801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "26"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "26"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F910360-FA8B-11EC-838E-726C518001C0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "58"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363588700"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "58"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "26"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec00000000002000000000010660000000100002000000062a5346d1cf301088fef0e51f57da5f8458b479190830bac8d4be718e0445623000000000e8000000002000020000000bdfcd163459aa1d126d4d6abd014642e94b4f846d89e8c7fffa1c6f274963c9320000000ab6b0d9ac3a0de245c2b5645d44c2bcaa0808f27b7e21738c5d61639ff14b121400000002d4399003b21701d61cabde5f0178ce2248305e26ae53a3d0eadf2dc48d95e0adc476840e3d343cda01acb3eaf05c880a30f944946d69cf1c810678f24f80cc3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "58"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "110"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "110"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec0000000000200000000001066000000010000200000004f978620637370a4d56a4ddeb50fd4bfddf29afd61fecf28aa4c418435718ad1000000000e800000000200002000000080e8bcda9461bbb2ef6ca5e5bbdf2b8e552eff00744bd500554e40883feb3e5090000000ff516543dfeb188e4900eeaff1288cdb72593924abeb21d54fe35d3be6c1ec1ef36f0b80ee612951c64c93e6648da6cdc77a4fff22542a91a0c3addb8f9b3fd4282b9884561cfddee7ebb077292d0179b5d4145fde0c2b18cd7de38857dcbb2e24802a536081b83bdc4dc354950a37738f1b0ddbec4bf6334a1aa214cf7c790162fd181245ef3c0a07576db5d41a279e4000000098f7e2982dd070a79cf9df30afac2df955f30a94b07b640569895e8f567692a8c16cc57516349f31da6a2a6bfd4e82a0b039dc0955615c6270755fa1a42b76e9	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exeiexplore.exe

pid	process
660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
1004	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe

pid	process
660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exeiexplore.exeIEXPLORE.EXE

pid	process
660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
1004	iexplore.exe
1004	iexplore.exe
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exeiexplore.exe

description	pid	process	target process
PID 660 wrote to memory of 1004	660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe	iexplore.exe
PID 660 wrote to memory of 1004	660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe	iexplore.exe
PID 660 wrote to memory of 1004	660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe	iexplore.exe
PID 660 wrote to memory of 1004	660	3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe	iexplore.exe
PID 1004 wrote to memory of 1288	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 1288	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 1288	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 1288	1004	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe
"C:\Users\Admin\AppData\Local\Temp\3d8a0d250db8d3601e812e6c6e38ba97e12b7c9e455cda1b6bc33371b9dd6c78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://clownfish-translator.com/voicechanger/#download
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
bf9c9a056b2fcc39a34ab1c2a2b4dd7d

SHA1
1c8c6326d91ac29c5e3507535897377ac19de83e

SHA256
d44ed999e5aee4ea7176592e6f9b49d4bfbbc876c447933499efce30d13a9a70

SHA512
b910dc056a991e0f8c02d4f1ea94a1f7a0f3c417a0b73d1207645e57370872c9f5f307edb496c685743c8e91ea95182ce7dfcc4120afea63147ca5f67a228edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9os4y76\imagestore.dat
Filesize
5KB

MD5
576a637bfac19d351d3fb46872401de3

SHA1
d1d055af6aaf9410d3b1252b9374d0c155c89a22

SHA256
e23e241f9134b50b0db1237e111d27e2341a63f99551a5d0ecb992ec59f29c5c

SHA512
03696153cb3b755a33fd78434f138310db5373e4fed984d85606b5fd525ed6c40a654832808d69e98cb520d440bd835c61330f9d4f963aea3ac5f6230d8973cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MY8UG1RD.txt
Filesize
600B

MD5
1a88f8b995f96ce51d9e4f3c502016cf

SHA1
dad9b7de98392a4640584f34b5fc66dd1d10793f

SHA256
0309e42883caa2a5e656a46e9f1f6260added32df495d7be125a9f680a9db263

SHA512
42f71dd3be3104ccb8bdd622da20a82d9160159bf01062b76810414d05b97b4e0cc586f0b810e9b2f6cba8434912b8e7faf6b79afd824ba86c3f3d3183ad97ec

Download Submit
memory/660-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads