gozi_rm3 | 26abb23658a1829ab32e9571659eb160043e35e0100124c5c612e8e31e81cfb4 | Triage

Sharing

General

Target

26abb23658a1829ab32e9571659eb160043e35e0100124c5c612e8e31e81cfb4
Size

909KB
Sample

220520-hkxsbseef2
MD5

b05e538afe8cb9d55f0e61720626310c
SHA1

c3154048ac74ceac75fdc62820ef66f1bdb31334
SHA256

26abb23658a1829ab32e9571659eb160043e35e0100124c5c612e8e31e81cfb4
SHA512

c668ab5c2686c84c329948c2bf72b7e1c20ea81e3a3706367655cdbb8f67c3d724b82a29252e5fc9c498c664338d370366df95cc806e58fc7738320962ca166c

Score

10^/10

gozi_rm3 202004141 banker cryptone packer trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  26abb23658a1829ab32e9571659eb160043e35e0100124c5c612e8e31e81cfb4
- Size
  
  909KB
- MD5
  
  b05e538afe8cb9d55f0e61720626310c
- SHA1
  
  c3154048ac74ceac75fdc62820ef66f1bdb31334
- SHA256
  
  26abb23658a1829ab32e9571659eb160043e35e0100124c5c612e8e31e81cfb4
- SHA512
  
  c668ab5c2686c84c329948c2bf72b7e1c20ea81e3a3706367655cdbb8f67c3d724b82a29252e5fc9c498c664338d370366df95cc806e58fc7738320962ca166c
Score

10^/10

gozi_rm3 202004141 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_rm3202004141bankertrojan

behavioral2

gozi_rm3202004141bankertrojan