gozi_rm3 | 513ca17750703ba1cfd6059502b704bcb0544fa25b8f7397d44cd2f6c8d96b71 | Triage

Sharing

General

Target

tru.bin.zip
Size

250KB
Sample

210707-2veyx27k7x
MD5

7e1a306797999fc7b8047a0b9c8823cb
SHA1

6a3b0dbb7147027e6e60a0ab52e29f1c0a72c8c0
SHA256

513ca17750703ba1cfd6059502b704bcb0544fa25b8f7397d44cd2f6c8d96b71
SHA512

d32309c8146ef16fc0246e5b41fcc4c21bd5a526e857bb7af120e7c0df106431b8773701b28beb4faab6ad5154df9f42a46555d4274250931046a3f5dd7ccb24

Score

10^/10

gozi_rm3 202106221 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300974

Extracted

Family

gozi_rm3

Botnet

202106221

C2

https://bussipod.xyz

Attributes

build
300974
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  tru.bin
- Size
  
  395KB
- MD5
  
  5522c21a05daf91658951bdf1c0e5271
- SHA1
  
  fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
- SHA256
  
  eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
- SHA512
  
  d97a8021b9688c612e280ffcb5443916b9d09857daf82a62bd5efac35efeff138125466a74579568dd655cd66cd5085e10cedb4caf7981f4ee9f240839b33d55
Score

10^/10

gozi_rm3 202106221 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3202106221bankertrojan

behavioral2

gozi_rm3202106221bankertrojan