General

  • Target

    opp.txt

  • Size

    1.1MB

  • Sample

    210423-hbn141e6c2

  • MD5

    bbf3ed74a83120758af983464b88e3eb

  • SHA1

    b95508884992751bad7acf1d3dc7483d4b759ff4

  • SHA256

    7833f76ed77ad166a3ff35e04a2a20c27c321709fed297ebe1f782b34ae1ae7d

  • SHA512

    ac73315fac39aeba2de341a493d2065259031605850e959b5ba126ee95c5f1241bf1ae096b75d63673cee3daef9e90741fec34789d36462012e7317d6436626a

Malware Config

Extracted

Family

gozi_rm3

Botnet

210307

C2

https://thetopdomain.xyz

Attributes
  • build

    300960

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      opp.txt

    • Size

      1.1MB

    • MD5

      bbf3ed74a83120758af983464b88e3eb

    • SHA1

      b95508884992751bad7acf1d3dc7483d4b759ff4

    • SHA256

      7833f76ed77ad166a3ff35e04a2a20c27c321709fed297ebe1f782b34ae1ae7d

    • SHA512

      ac73315fac39aeba2de341a493d2065259031605850e959b5ba126ee95c5f1241bf1ae096b75d63673cee3daef9e90741fec34789d36462012e7317d6436626a

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Blocklisted process makes network request

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Tasks