gozi_rm3 | 53e467867988f32cf3b0edf822755ddaa5264aa0e7be5bbaf4728754824219c4 | Triage

Sharing

General

Target

53e467867988f32cf3b0edf822755ddaa5264aa0e7be5bbaf4728754824219c4
Size

54KB
Sample

220201-mescwacgfm
MD5

ba2cb9b75781ede9afab78924ab7a016
SHA1

cd781d469a0f8f52dcef5f75072c16b970e0e31e
SHA256

53e467867988f32cf3b0edf822755ddaa5264aa0e7be5bbaf4728754824219c4
SHA512

d0174240d9d396fdc8a3066959f569c830f7ef3915d33ad74491dfa1b78f23f155f73f23b71bf94f0dd5ad9d712e8530d434dee059c4d877ee01b40cc9951110

Score

10^/10

gozi_rm3 201910301 persistence

Malware Config

Extracted

Family

gozi_rm3

Attributes

exe_type
loader

Extracted

Family

gozi_rm3

Botnet

201910301

C2

https://jamesdrywall.xyz

Attributes

build
300794
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  53e467867988f32cf3b0edf822755ddaa5264aa0e7be5bbaf4728754824219c4
- Size
  
  54KB
- MD5
  
  ba2cb9b75781ede9afab78924ab7a016
- SHA1
  
  cd781d469a0f8f52dcef5f75072c16b970e0e31e
- SHA256
  
  53e467867988f32cf3b0edf822755ddaa5264aa0e7be5bbaf4728754824219c4
- SHA512
  
  d0174240d9d396fdc8a3066959f569c830f7ef3915d33ad74491dfa1b78f23f155f73f23b71bf94f0dd5ad9d712e8530d434dee059c4d877ee01b40cc9951110
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

201910301gozi_rm3

behavioral1

behavioral2