gozi_rm3 | f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f | Triage

Resubmissions

05-02-2021 13:55

210205-lmm8e3abda 10

05-02-2021 13:42

210205-serhwbtcf2 10

Sharing

General

Target

32b2d32af004b6039b73f4ccd73df2bafe7a0343
Size

539KB
Sample

210205-lmm8e3abda
MD5

d31c0491f522d6b9f2102109bd2420af
SHA1

dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
SHA256

f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
SHA512

48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd

Score

10^/10

gozi_rm3 201193207 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

201193207

C2

https://topitophug.xyz

Attributes

build
300932
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.base64

serpent.plain

Targets

- Target
  
  32b2d32af004b6039b73f4ccd73df2bafe7a0343
- Size
  
  539KB
- MD5
  
  d31c0491f522d6b9f2102109bd2420af
- SHA1
  
  dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
- SHA256
  
  f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
- SHA512
  
  48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd
Score

10^/10

gozi_rm3 201193207 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3201193207bankertrojan

behavioral2

gozi_rm3201193207bankertrojan