General

  • Target

    yA0A.tmp.bin.zip

  • Size

    84KB

  • Sample

    220407-3wa3xsbaar

  • MD5

    43f48b9407bd4e67f5f20e7e679ba193

  • SHA1

    84bc285f4584f7cc6f0c966d19e2bf8f97820e04

  • SHA256

    dedd163599da14f5c9082a6611c08342d9b68681f770b4e083ed4f513b215420

  • SHA512

    69ba3904f18316b6f452592ace0670bc2df6cf00f025fbe35d57d1e5c3fde06716b23c036b9ad0b71bcb2202d67e516222768078d6e150bd33ab7752f4d52d79

Score
10/10

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

rsa_pubkey.base64
rsa_pubkey.plain

Targets

    • Target

      yA0A.tmp.bin

    • Size

      151KB

    • MD5

      55ab2f304f8c2da30aeee7713a95064d

    • SHA1

      aae939cf3995905399e427097fc90c5b62f3d4c3

    • SHA256

      41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

    • SHA512

      08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

    Score
    10/10
    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks