Overview

overview

10

Static

static

8

book-AUY70...21.xls

windows7_x64

10

book-AUY70...21.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    book-AUY70-04022021.xls

  • Size

    139KB

  • Sample

    210205-bg2j9k67da

  • MD5

    6bc6146cc33968b9b1f1ea29a65f28aa

  • SHA1

    e681ce7f9b6a16c9926817c18365ba3610366da4

  • SHA256

    8162e0799dc6887d63119af7836399684041e981d8e1cc48d0bf852dc785d8ce

  • SHA512

    0e8fe206306c1fa2f5f27a9df172d8c8f6667eb67cb2ac58a0e9d2c928ba3725d1d3c857449a66b1f1f6154a8240a4234b95a61fd451a17c41dbe077874f5fa1

Score
10/10
gozi_rm3201193207bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://uidacrtsppxece.com/ioir.png

Extracted

Family

gozi_rm3

Botnet

201193207

C2

https://topitophug.xyz

Attributes
  • build

    300932

  • exe_type

    loader

rsa_pubkey.base64
serpent.plain

Targets

    • Target

      book-AUY70-04022021.xls

    • Size

      139KB

    • MD5

      6bc6146cc33968b9b1f1ea29a65f28aa

    • SHA1

      e681ce7f9b6a16c9926817c18365ba3610366da4

    • SHA256

      8162e0799dc6887d63119af7836399684041e981d8e1cc48d0bf852dc785d8ce

    • SHA512

      0e8fe206306c1fa2f5f27a9df172d8c8f6667eb67cb2ac58a0e9d2c928ba3725d1d3c857449a66b1f1f6154a8240a4234b95a61fd451a17c41dbe077874f5fa1

    Score
    10/10
    gozi_rm3201193207bankertrojan

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks