gozi_rm3 | 90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82

General

Target

2217.js
Size

278KB
Sample

210903-s1xsdadcc8
MD5

ed8988f1433e30276b87384f16825116
SHA1

10c3b841313d765e380460506d5e760b2423680a
SHA256

90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82
SHA512

aae697ea7ebe642a21a7e6670d1d5d0c761f85e2a9fada7f27d0f67f1ee1b4deec63cb316111302c3dbaf53dc12a75eb369bbdcae67d08af853a8c859d41482e

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://quickdrive.ae/js/JS000082510952000/dll/assistant.php

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

C2

https://hotroad.cyou

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  2217.js
- Size
  
  278KB
- MD5
  
  ed8988f1433e30276b87384f16825116
- SHA1
  
  10c3b841313d765e380460506d5e760b2423680a
- SHA256
  
  90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82
- SHA512
  
  aae697ea7ebe642a21a7e6670d1d5d0c761f85e2a9fada7f27d0f67f1ee1b4deec63cb316111302c3dbaf53dc12a75eb369bbdcae67d08af853a8c859d41482e
Score

10^/10

gozi_rm3 202108021 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Blocklisted process makes network request
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Gozi RM3

Blocklisted process makes network request

Executes dropped EXE

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2