gozi_rm3 | ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b | Triage

Sharing

General

Target

ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b
Size

53KB
Sample

220201-kta12abgcn
MD5

b0fecfeb86217600bc3308aae08a2b82
SHA1

d40b663632d57b9c5449d3a080ba3895b0a138d6
SHA256

ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b
SHA512

2ced7bc4a542644e6341a80e66060fb118a7275352e2e60a00e4276bba5886dcf1a6f815bf1e27f58090dfe80251cd8ab08336699a4efa86fd191b7bcee3a553

Score

10^/10

gozi_rm3 201908051 persistence

Malware Config

Extracted

Family

gozi_rm3

Attributes

exe_type
loader

Extracted

Family

gozi_rm3

Botnet

201908051

C2

https://corpington.pw

Attributes

build
300768
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b
- Size
  
  53KB
- MD5
  
  b0fecfeb86217600bc3308aae08a2b82
- SHA1
  
  d40b663632d57b9c5449d3a080ba3895b0a138d6
- SHA256
  
  ed0eec7fe2565a0f38019172722d04b200a036a96ca6e92bfa5e4bf74bdb5a2b
- SHA512
  
  2ced7bc4a542644e6341a80e66060fb118a7275352e2e60a00e4276bba5886dcf1a6f815bf1e27f58090dfe80251cd8ab08336699a4efa86fd191b7bcee3a553
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

201908051gozi_rm3

behavioral1

behavioral2