General

  • Target

    request.doc

  • Size

    526KB

  • Sample

    220407-q9wkkaeahn

  • MD5

    9b96a79a5e52ce888306ae92bf6668dc

  • SHA1

    5e50023b851d24e7b16afa48eaa0904b5368259d

  • SHA256

    6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f

  • SHA512

    117f93c86cda5fd51e7b5c869dd3067b391ad1bdebf4dbb358243d42e6ae6eea612b12d568a18a5ea47050977da4c9312aa93c5c9de9b3373b25e5e7d0edad31

Score
10/10

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

rsa_pubkey.base64
rsa_pubkey.plain

Targets

    • Target

      request.doc

    • Size

      526KB

    • MD5

      9b96a79a5e52ce888306ae92bf6668dc

    • SHA1

      5e50023b851d24e7b16afa48eaa0904b5368259d

    • SHA256

      6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f

    • SHA512

      117f93c86cda5fd51e7b5c869dd3067b391ad1bdebf4dbb358243d42e6ae6eea612b12d568a18a5ea47050977da4c9312aa93c5c9de9b3373b25e5e7d0edad31

    Score
    10/10
    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks