gozi_rm3 | f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25 | Triage

Sharing

General

Target

f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
Size

944KB
Sample

220205-jqfxfahcb6
MD5

b31b8740568360abdfcf934916c65bca
SHA1

7926eb5dc593c8a82bd5b7aecbbcd1255f4e6685
SHA256

f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
SHA512

77ee7ff01783d9eb13587952f2d4e8440a32f6533435fe8cfd36a55bc74b7a7382bfffb49646d4e49ed9a556d961e6ab8e67c5e53f76682c59762456a6aaf6a9

Score

10^/10

gozi_rm3 202004031 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004031

C2

https://highmynameis.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
- Size
  
  944KB
- MD5
  
  b31b8740568360abdfcf934916c65bca
- SHA1
  
  7926eb5dc593c8a82bd5b7aecbbcd1255f4e6685
- SHA256
  
  f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
- SHA512
  
  77ee7ff01783d9eb13587952f2d4e8440a32f6533435fe8cfd36a55bc74b7a7382bfffb49646d4e49ed9a556d961e6ab8e67c5e53f76682c59762456a6aaf6a9
Score

10^/10

gozi_rm3 202004031 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3202004031bankertrojan

behavioral2