General

  • Target

    c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d.doc

  • Size

    526KB

  • Sample

    220408-p8kagahger

  • MD5

    b3a054e49f4d87490a8208a801567112

  • SHA1

    d038a9bc0564167a299abe43382eb6c3ef6ee88e

  • SHA256

    c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d

  • SHA512

    b9082cc341e8b85c4755095e741cc1e83f79194d8bc801cf97933fac712e9d3198409534fcb76f011f97c0b8e88f03a164d37791020f9e75503e5713e859440d

Score
10/10

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

rsa_pubkey.base64

Targets

    • Target

      c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d.doc

    • Size

      526KB

    • MD5

      b3a054e49f4d87490a8208a801567112

    • SHA1

      d038a9bc0564167a299abe43382eb6c3ef6ee88e

    • SHA256

      c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d

    • SHA512

      b9082cc341e8b85c4755095e741cc1e83f79194d8bc801cf97933fac712e9d3198409534fcb76f011f97c0b8e88f03a164d37791020f9e75503e5713e859440d

    Score
    10/10
    • Gozi RM3

      A heavily modified version of Gozi using RM3 loader.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

MITRE ATT&CK Enterprise v6

Tasks