Overview

overview

10

Static

static

request.docm

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    request.doc

  • Size

    526KB

  • Sample

    220407-syya5aaad2

  • MD5

    2f66e607c3dc705034713fa5ae67bb9d

  • SHA1

    2fc6a71d0b3298e59852b57f27b2b24bfbc25d32

  • SHA256

    2f206f6c5b458da0a0ed4057780d8c90c00cd0f8e31846ab626d55331e81b614

  • SHA512

    8189dec15803be9ec0aa56db832450177dcbad48477096280b6c1b961a56aadcf127ef335f31daaf25b1c6b54869d76ffb46772acd9fce59caaf342a7b6ec7f4

Score
10/10
gozi_rm3bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

rsa_pubkey.base64

Targets

    • Target

      request.doc

    • Size

      526KB

    • MD5

      2f66e607c3dc705034713fa5ae67bb9d

    • SHA1

      2fc6a71d0b3298e59852b57f27b2b24bfbc25d32

    • SHA256

      2f206f6c5b458da0a0ed4057780d8c90c00cd0f8e31846ab626d55331e81b614

    • SHA512

      8189dec15803be9ec0aa56db832450177dcbad48477096280b6c1b961a56aadcf127ef335f31daaf25b1c6b54869d76ffb46772acd9fce59caaf342a7b6ec7f4

    Score
    10/10
    gozi_rm3bankertrojan

    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

      bankertrojangozi_rm3

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks