Overview

overview

10

Static

static

3

Render Lea...or.exe

windows11-21h2-x64

10

Render Lea...ry.exe

windows11-21h2-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Render Leak.rar

  • Size

    80.8MB

  • Sample

    240601-ryvdsseg4t

  • MD5

    820050cd084e630670e8b78579d44a5c

  • SHA1

    20fff4868838a111705622dec6019905e8ff9782

  • SHA256

    5108dffa7044826aae597f21cb2aaceed5d1b1fa4cb34a4494d1e500e578d436

  • SHA512

    63d8f7246101fcb0c48291efa5cb36877a463e9fb9b043ca3dd6dac0733099387c582f7385e7e76f16801ee5820948e3c030d7c485d23c61c5a3f6a304dd5c83

  • SSDEEP

    1572864:k4gPXMoGTgUtcBh2swu87JWVIAESWXzXiSpfVrVPFAbWUIN+0QPatdxx9E:k4AcpT6Bh2swug4DNWjSSpfVrVebAN+f

Score
10/10
gozibankerexecutionisfbpersistencespywarestealertrojan

Malware Config

Extracted

Family

gozi

Targets

    • Target

      Render Leak/RenderPrivateExecutor.exe

    • Size

      11KB

    • MD5

      b255f2988558b9dbc3cc5a9814803364

    • SHA1

      6cab200559f340364b3a3cea3cf321e7d32cec97

    • SHA256

      f2a05b8bcb63042b9af36a0aa52bca8ae9de5664edc6bb1a46499ab9516e4ae5

    • SHA512

      5bcf60d73069c15087cce591b4f3bf125b3649528758068859c6ef510b811c336962afdc20ee29a805a90fd7eff98ae7b97062035666144ae0e78d19796773d3

    • SSDEEP

      192:598Jf9mV2Xm51Mpa0kGea0ICntHvl7QYrm/sxn8Ft1eSwcU1r:59AoMpauL0/vhQYKUxsjJd8

    Score
    10/10
    gozibankerisfbtrojan

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      Render Leak/RenderScriptLibarry.exe

    • Size

      80.8MB

    • MD5

      e13f33e9de257f82bd239aa75336fe13

    • SHA1

      e3031c13f89cb6c43fbc39464feb16238fc504af

    • SHA256

      835e0e02dc6b136e69c5b9be40b35a18817a2f581c7e6f695a1add9d03cee60a

    • SHA512

      2e669360e642ffe2531d425c45b1c0c45b2563bbbc844c73274dadf36cc13767275632aa85772972780e0aee7f561de7dbcb1da66c0235d831498e364ef74548

    • SSDEEP

      1572864:Y4gPXMoGTgUtcBh2swu87JWVIAESWXzXiSpfVrVPFAbWUIN+0QPatdxx97:Y4AcpT6Bh2swug4DNWjSSpfVrVebAN+y

    Score
    7/10
    executionpersistencespywarestealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks