631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6

General
Target

631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6

Size

271KB

Sample

210401-qkflfw47me

Score
10 /10
MD5

18d22f87d6d2b149796ab187afe9efe9

SHA1

08ce312f4f0d94948271f7557ff9b6579631862b

SHA256

631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6

SHA512

b8a45829cc2db4959779ecf4fd5d188d7fbabf5270b998e1107e443cab73ab8314fc070b6c183cac630128f1cf1f914e33731bc3fb54136c22e0998ded4195d9

Malware Config

Extracted

Family gozi_rm3
Botnet 202004081
C2

https://triomigratio.xyz

Attributes
build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12
url_path
index.htm
rsa_pubkey.plain
serpent.plain
Targets
Target

631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6

MD5

18d22f87d6d2b149796ab187afe9efe9

Filesize

271KB

Score
10 /10
SHA1

08ce312f4f0d94948271f7557ff9b6579631862b

SHA256

631aa788235fd895c3e68c0be500596d1daecfc29cc1faa1ef4cd0f59eba43b6

SHA512

b8a45829cc2db4959779ecf4fd5d188d7fbabf5270b998e1107e443cab73ab8314fc070b6c183cac630128f1cf1f914e33731bc3fb54136c22e0998ded4195d9

Tags

Signatures

  • Gozi RM3

    Description

    A heavily modified version of Gozi using RM3 loader.

    Tags

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        9/10

                        behavioral1

                        10/10

                        behavioral2

                        10/10