gozi_rm3 | 3c1ce75269219a15d338a103c5e5baf8629438d062474a7c11e3792fdcabdf06 | Triage

Sharing

General

Target

3c1ce75269219a15d338a103c5e5baf8629438d062474a7c11e3792fdcabdf06
Size

717KB
Sample

220201-h8jklsbcd3
MD5

8301016527149e8eafe47519c00bb8be
SHA1

503c6df6f8c855fef4f8f080c0ff23e5da5c0756
SHA256

3c1ce75269219a15d338a103c5e5baf8629438d062474a7c11e3792fdcabdf06
SHA512

9c2e0dfa51405c9735e458886e6dbdde2d62e5c5a4dec3eeb183b284c3c702ab3fb747ac144683664f1fb20e855cdcdf3ac9e07907fa6eddb2e1e745d2fd6b59

Score

10^/10

gozi_rm3 7000 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300784

Extracted

Family

gozi_rm3

Botnet

7000

C2

y1.rexa.at

loop.rexa.at

Attributes

build
300784
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
350
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  3c1ce75269219a15d338a103c5e5baf8629438d062474a7c11e3792fdcabdf06
- Size
  
  717KB
- MD5
  
  8301016527149e8eafe47519c00bb8be
- SHA1
  
  503c6df6f8c855fef4f8f080c0ff23e5da5c0756
- SHA256
  
  3c1ce75269219a15d338a103c5e5baf8629438d062474a7c11e3792fdcabdf06
- SHA512
  
  9c2e0dfa51405c9735e458886e6dbdde2d62e5c5a4dec3eeb183b284c3c702ab3fb747ac144683664f1fb20e855cdcdf3ac9e07907fa6eddb2e1e745d2fd6b59
Score

10^/10

gozi_rm3 7000 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm37000bankertrojan

behavioral2