gozi_rm3 | 17748fbfb1fff859df80148a390e9a6f571cf4550f1295dcbb8561efc06c317c | Triage

Sharing

General

Target

17748fbfb1fff859df80148a390e9a6f571cf4550f1295dcbb8561efc06c317c
Size

72KB
Sample

220524-2vt9qsaha5
MD5

ffd9cefe91a9cf391a04187d0a05c39b
SHA1

8bcda3c8068ef39b4c0662bdbed5cfa6426af9b0
SHA256

17748fbfb1fff859df80148a390e9a6f571cf4550f1295dcbb8561efc06c317c
SHA512

83701dd5b5aa21c5a9e020ed850761ca8f1490ad054779e5ccbeb418dab836090ba77103358036c0a9bb1e8d8f803fa8c8626a7f1bc01943d442e95761481bcc

Score

10^/10

gozi_rm3 202004022 banker cryptone packer trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004022

C2

https://karntnatural.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  17748fbfb1fff859df80148a390e9a6f571cf4550f1295dcbb8561efc06c317c
- Size
  
  72KB
- MD5
  
  ffd9cefe91a9cf391a04187d0a05c39b
- SHA1
  
  8bcda3c8068ef39b4c0662bdbed5cfa6426af9b0
- SHA256
  
  17748fbfb1fff859df80148a390e9a6f571cf4550f1295dcbb8561efc06c317c
- SHA512
  
  83701dd5b5aa21c5a9e020ed850761ca8f1490ad054779e5ccbeb418dab836090ba77103358036c0a9bb1e8d8f803fa8c8626a7f1bc01943d442e95761481bcc
Score

10^/10

gozi_rm3 202004022 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3202004022bankertrojan

behavioral2

gozi_rm3202004022bankertrojan