Overview

overview

10

Static

static

520636dbbd...f8.exe

windows7_x64

10

520636dbbd...f8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    520636dbbdc33d8dbdf1b14f043b46f8.exe

  • Size

    252KB

  • Sample

    220315-rdvttscdc3

  • MD5

    520636dbbdc33d8dbdf1b14f043b46f8

  • SHA1

    20eec5615c4ecca3603f889bccf975c855fa7a07

  • SHA256

    bd8aa280646a2b601ccbd5cec125d51646624d34005eb7db56da6b70fda821cb

  • SHA512

    fc3869cf9a917b21e16f2f7150dbf78227c4e52a4f73a3b572555f38b2ae51358f32d0af7e08dc944529a1ed931f4cd09c694a92ad6b5680de58c4a2149077b6

Score
10/10
gozi_rm3bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

rsa_pubkey.plain

Targets

    • Target

      520636dbbdc33d8dbdf1b14f043b46f8.exe

    • Size

      252KB

    • MD5

      520636dbbdc33d8dbdf1b14f043b46f8

    • SHA1

      20eec5615c4ecca3603f889bccf975c855fa7a07

    • SHA256

      bd8aa280646a2b601ccbd5cec125d51646624d34005eb7db56da6b70fda821cb

    • SHA512

      fc3869cf9a917b21e16f2f7150dbf78227c4e52a4f73a3b572555f38b2ae51358f32d0af7e08dc944529a1ed931f4cd09c694a92ad6b5680de58c4a2149077b6

    Score
    10/10
    gozi_rm3bankertrojan

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • Deletes itself

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks