Overview

overview

10

Static

static

01a3835bbc...eb.exe

windows7_x64

10

01a3835bbc...eb.exe

windows10-2004_x64

6

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    05-07-2022 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01a3835bbcf655cd4e5331da7594f50d582a79e437cbda52c7365f76fa5987eb.exe

  • Size

    155KB

  • MD5

    7fe0c480e6e5502dd307d4bc5a22aff3

  • SHA1

    af19f88f91b80df3eab8359bab2323ef217685f3

  • SHA256

    01a3835bbcf655cd4e5331da7594f50d582a79e437cbda52c7365f76fa5987eb

  • SHA512

    a82519ffec4932fd1a79f1f51e10e3a758206ac33d4135c6731c65f0ca2b3b75818b3c6abac031f8bda94d59baf562294a3619b8d1c4a0e97806d99daff084c3

Score
10/10
gozi_rm3bankertrojan

Malware Config

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01a3835bbcf655cd4e5331da7594f50d582a79e437cbda52c7365f76fa5987eb.exe
    "C:\Users\Admin\AppData\Local\Temp\01a3835bbcf655cd4e5331da7594f50d582a79e437cbda52c7365f76fa5987eb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\164F.tmp\1650.tmp\1661.bat C:\Users\Admin\AppData\Local\Temp\01a3835bbcf655cd4e5331da7594f50d582a79e437cbda52c7365f76fa5987eb.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\system32\reg.exe
          reg query HKEY_CLASSES_ROOT\http\shell\open\command
          4⤵
            PID:1144
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://www.jining.gov.cn/col/col78128/index.html
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:320
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:1980
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:1432

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        60KB

        MD5

        589c442fc7a0c70dca927115a700d41e

        SHA1

        66a07dace3afbfd1aa07a47e6875beab62c4bb31

        SHA256

        2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

        SHA512

        1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        340B

        MD5

        13867363cc4c75e3b7a4a6a5c8a1f81a

        SHA1

        ea29c8857a4f47a76b0af93757683aa19ddcfbc5

        SHA256

        04a0c85136ae56fe7db5c78f6edd1741c4aa77195585cb6b9d507fa3c2fc62c6

        SHA512

        c9ae765e1566a9531cc4178616439315831a0e80fbc19fcec7d411ac4901aa4b5ec8db9130afd27fc6dbd964aadbeb90798b7e7f48049d639e22c38b19af1f22

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\164F.tmp\1650.tmp\1661.bat
        Filesize

        215B

        MD5

        e29ebcc9b829d97fb5c742f8275d497e

        SHA1

        8bd678be71499fdfb5a20e2917761e36f74d3206

        SHA256

        40313e3f0f92ff70966575be2f772d85a927d18ee72ea102823241a128581246

        SHA512

        b5617ded91d6e495466345bd19d754a18801d7f105e5c13d0b456063b4a985f8db3f45751c08012fc91bff4787c1cb401b041c0a105bbd7ca1f63f24e2cff8c5

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QUA4A58D.txt
        Filesize

        606B

        MD5

        a888a0a8c69a602aab9001914d833de1

        SHA1

        21eb988fe35bd5f4d6aa7cb31a31fb08f7f4380b

        SHA256

        ddb8f0c363d34acaec16acca14c573a157c06c690a6c7766ea0243544399d9f1

        SHA512

        15404ed823d4150b7a27d34db79c12610e740e867f58be424dc637b41df974eb59dd23e2eb392296b7380baf2271b73b31833d907233657cc313d45d7ccec227

        Download Submit
      • memory/948-55-0x0000000000000000-mapping.dmp
        Download
      • memory/948-59-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1092-54-0x0000000076571000-0x0000000076573000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1144-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1952-57-0x0000000000000000-mapping.dmp
        Download