General

  • Target

    cessentl1.dll

  • Size

    449KB

  • Sample

    210325-fk36nwc2h6

  • MD5

    caec766872f0fc3c7e4af0bf1e5cc939

  • SHA1

    dfb603663f5de381eafb617dccf51a2c30f34a4d

  • SHA256

    afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984

  • SHA512

    aa22e020c44220258aabf0950de87846860c4a7bea1a6e9c50f2a7fa6ca537952398b2322acab8a24c75424cabc1466cf00714d884db4f2252bf60b586e0ecf1

Malware Config

Extracted

Family

gozi_rm3

Botnet

210301

C2

https://gotoregt.space

Attributes
  • build

    300960

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      cessentl1.dll

    • Size

      449KB

    • MD5

      caec766872f0fc3c7e4af0bf1e5cc939

    • SHA1

      dfb603663f5de381eafb617dccf51a2c30f34a4d

    • SHA256

      afe4ae071261d7c5e03b4e96e253182a270d1e2c4f772d4d947e5d5cf3005984

    • SHA512

      aa22e020c44220258aabf0950de87846860c4a7bea1a6e9c50f2a7fa6ca537952398b2322acab8a24c75424cabc1466cf00714d884db4f2252bf60b586e0ecf1

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Blocklisted process makes network request

MITRE ATT&CK Enterprise v6

Tasks