gozi_rm3 | eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605 | Triage

Resubmissions

19-04-2021 09:51

210419-vsfnbxzjyn 10

Sharing

General

Target

selected-jobs.xls
Size

1.9MB
Sample

210419-vsfnbxzjyn
MD5

4ab1efff60052e63eaace56a29413b62
SHA1

6e574a62a5ca46e5e2a8c3861feb3a4ef0b6e866
SHA256

eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605
SHA512

a699e34d720e70e1168e83ffcfbb5d1743bb9bbae34658fbb921d93186e49032eb0eb8fa8b7be28d6b57e9c4338c05f21036bdaac81f67bcea03ddb68c3a9055

Score

10^/10

gozi_rm3 210306 banker trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://shemagh.pk/otp.txt

Extracted

Family

gozi_rm3

Botnet

210306

C2

https://getroad.xyz

Attributes

build
300960
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  selected-jobs.xls
- Size
  
  1.9MB
- MD5
  
  4ab1efff60052e63eaace56a29413b62
- SHA1
  
  6e574a62a5ca46e5e2a8c3861feb3a4ef0b6e866
- SHA256
  
  eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605
- SHA512
  
  a699e34d720e70e1168e83ffcfbb5d1743bb9bbae34658fbb921d93186e49032eb0eb8fa8b7be28d6b57e9c4338c05f21036bdaac81f67bcea03ddb68c3a9055
Score

10^/10

gozi_rm3 210306 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gozi_rm3210306bankertrojan