Overview

overview

10

Static

static

tru.bin.dll

windows7_x64

10

tru.bin.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tru.bin.zip

  • Size

    250KB

  • Sample

    210707-2veyx27k7x

  • MD5

    7e1a306797999fc7b8047a0b9c8823cb

  • SHA1

    6a3b0dbb7147027e6e60a0ab52e29f1c0a72c8c0

  • SHA256

    513ca17750703ba1cfd6059502b704bcb0544fa25b8f7397d44cd2f6c8d96b71

  • SHA512

    d32309c8146ef16fc0246e5b41fcc4c21bd5a526e857bb7af120e7c0df106431b8773701b28beb4faab6ad5154df9f42a46555d4274250931046a3f5dd7ccb24

Score
10/10
gozi_rm3202106221bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300974

Extracted

Family

gozi_rm3

Botnet

202106221

C2

https://bussipod.xyz

Attributes
  • build

    300974

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
aes.plain

Targets

    • Target

      tru.bin

    • Size

      395KB

    • MD5

      5522c21a05daf91658951bdf1c0e5271

    • SHA1

      fed4a9b4069cd2676928441ecf8c844cc7f4a9ee

    • SHA256

      eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993

    • SHA512

      d97a8021b9688c612e280ffcb5443916b9d09857daf82a62bd5efac35efeff138125466a74579568dd655cd66cd5085e10cedb4caf7981f4ee9f240839b33d55

    Score
    10/10
    gozi_rm3202106221bankertrojan

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks