Resubmissions

15-03-2022 08:05

220315-jy3feaahdk 10

15-03-2022 07:24

220315-h8lpzaghf8 10

General

  • Target

    Restr.com

  • Size

    252KB

  • Sample

    220315-jy3feaahdk

  • MD5

    16959900ff34c0ba60fe2a4d9f1242c5

  • SHA1

    888148f1b31355192e26ea4fc97c91f4c4defe9e

  • SHA256

    0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f

  • SHA512

    a2b7a74fdc6525c5b8ecafc66706136e1e3996e28ebb3b1d8e236b120e59f8c4e85165f385365d706a8391ae2a5f30530a086c7820e26d1a6cd2f19a44da5d54

Score
10/10

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

rsa_pubkey.plain

Targets

    • Target

      Restr.com

    • Size

      252KB

    • MD5

      16959900ff34c0ba60fe2a4d9f1242c5

    • SHA1

      888148f1b31355192e26ea4fc97c91f4c4defe9e

    • SHA256

      0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f

    • SHA512

      a2b7a74fdc6525c5b8ecafc66706136e1e3996e28ebb3b1d8e236b120e59f8c4e85165f385365d706a8391ae2a5f30530a086c7820e26d1a6cd2f19a44da5d54

    Score
    10/10
    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Deletes itself

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks