gozi_rm3 | 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

General

Target

022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
Size

99KB
Sample

220205-1jw4hsfhfq
MD5

20abc2fc4ae0ddc631322df67c828c17
SHA1

30fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256

022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512

cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Ransom Note

C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/6938-6B08-A4FB-0006-4649 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�

URLs

http://decrypttozxybarc.onion/6938-6B08-A4FB-0006-4649

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Ransom Note

C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�

URLs

http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A

Targets

- Target
  
  022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
- Size
  
  99KB
- MD5
  
  20abc2fc4ae0ddc631322df67c828c17
- SHA1
  
  30fc7b84a438df84624e79d5365d4bd959fb5f72
- SHA256
  
  022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
- SHA512
  
  cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
Score

10^/10

gozi_rm3 banker evasion persistence ransomware suricata trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- suricata: ET MALWARE Ransomware/Cerber Checkin 2
  suricata: ET MALWARE Ransomware/Cerber Checkin 2
  suricata
- suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)
  suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)
  suricata
- suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)
  suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)
  suricata
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2