gozi_rm3 | f3cedab08c77075613db3c3fafbddc71e81bbe65e8667d48c3d62cd585075bd0 | Triage

Sharing

General

Target

f3cedab08c77075613db3c3fafbddc71e81bbe65e8667d48c3d62cd585075bd0
Size

241KB
Sample

220417-k3h31adddj
MD5

0023a2efe83f02957f958502700c5673
SHA1

a4cd5a09fd9a252dd6a24500767798aee57267cf
SHA256

f3cedab08c77075613db3c3fafbddc71e81bbe65e8667d48c3d62cd585075bd0
SHA512

f79414e0d0aeb9c07b42cc6978c1c799692224318c52d8a7c8893d9ea51b87cd32c0b92188bbd13697e82e9e31a5a4d909ae0865360031da9dd2aa578fdc06cd

Score

10^/10

gozi_rm3 93020421 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300930

Extracted

Family

gozi_rm3

Botnet

93020421

C2

https://dealbuzzard.xyz

Attributes

build
300930
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  f3cedab08c77075613db3c3fafbddc71e81bbe65e8667d48c3d62cd585075bd0
- Size
  
  241KB
- MD5
  
  0023a2efe83f02957f958502700c5673
- SHA1
  
  a4cd5a09fd9a252dd6a24500767798aee57267cf
- SHA256
  
  f3cedab08c77075613db3c3fafbddc71e81bbe65e8667d48c3d62cd585075bd0
- SHA512
  
  f79414e0d0aeb9c07b42cc6978c1c799692224318c52d8a7c8893d9ea51b87cd32c0b92188bbd13697e82e9e31a5a4d909ae0865360031da9dd2aa578fdc06cd
Score

10^/10

gozi_rm3 93020421 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm393020421bankertrojan

behavioral2

gozi_rm393020421bankertrojan