gozi_rm3 | 7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec | Triage

Resubmissions

02-11-2021 03:48

211102-edasfagdbj 10

09-03-2021 16:03

210309-zdaphqpyje 10

24-12-2020 08:00

201224-p53mst8e3j 10

Sharing

General

Target

drfone.exe
Size

198KB
Sample

210309-zdaphqpyje
MD5

545f38fbb74881142712052a5b6eabce
SHA1

4cbaf1ecb48629b163f4387605c8a9011e89183c
SHA256

7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
SHA512

d58a0dd4dfce60fce85e7fbee653828dfcd6e0ff093ea3b92e5588bd8ca05bc5502e4f71145b7fa13645034db122c5ceb5c8b579d5525ceb4ec30ee161fd3673

Score

10^/10

gozi_rm3 201193204 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

201193204

C2

https://hapynewyear.xyz

Attributes

build
300932
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.base64

serpent.plain

Targets

- Target
  
  drfone.exe
- Size
  
  198KB
- MD5
  
  545f38fbb74881142712052a5b6eabce
- SHA1
  
  4cbaf1ecb48629b163f4387605c8a9011e89183c
- SHA256
  
  7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
- SHA512
  
  d58a0dd4dfce60fce85e7fbee653828dfcd6e0ff093ea3b92e5588bd8ca05bc5502e4f71145b7fa13645034db122c5ceb5c8b579d5525ceb4ec30ee161fd3673
Score

10^/10

gozi_rm3 201193204 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3201193204bankertrojan