gozi_rm3 | afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984 | Triage

Sharing

General

Target

cessentl1.dll
Size

449KB
Sample

210325-fk36nwc2h6
MD5

caec766872f0fc3c7e4af0bf1e5cc939
SHA1

dfb603663f5de381eafb617dccf51a2c30f34a4d
SHA256

afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984
SHA512

aa22e020c44220258aabf0950de87846860c4a7bea1a6e9c50f2a7fa6ca537952398b2322acab8a24c75424cabc1466cf00714d884db4f2252bf60b586e0ecf1

Score

10^/10

gozi_rm3 210301 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

210301

C2

https://gotoregt.space

Attributes

build
300960
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  cessentl1.dll
- Size
  
  449KB
- MD5
  
  caec766872f0fc3c7e4af0bf1e5cc939
- SHA1
  
  dfb603663f5de381eafb617dccf51a2c30f34a4d
- SHA256
  
  afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984
- SHA512
  
  aa22e020c44220258aabf0950de87846860c4a7bea1a6e9c50f2a7fa6ca537952398b2322acab8a24c75424cabc1466cf00714d884db4f2252bf60b586e0ecf1
Score

10^/10

gozi_rm3 210301 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_rm3210301bankertrojan

behavioral2

gozi_rm3210301bankertrojan