gozi_rm3 | 665391337ffc4fe16d0a2a9b2380a3ed9f9ffcd3091404b79f986722f5be8104 | Triage

Sharing

General

Target

665391337ffc4fe16d0a2a9b2380a3ed9f9ffcd3091404b79f986722f5be8104
Size

908KB
Sample

220524-3b5rssbde4
MD5

4c4583d027bdd1d41d7d58d2d476873a
SHA1

03448c69ec5735bdc0603389d52df46bc928e68d
SHA256

665391337ffc4fe16d0a2a9b2380a3ed9f9ffcd3091404b79f986722f5be8104
SHA512

cc6a392e2fb4b7934f36961cba7b031bed241914eb8a4821f223f708916effa00649cc37f7508621e69733400bb639d31d612b3b43dddf8ecf0c7a83769dfc37

Score

10^/10

gozi_rm3 202004141 banker cryptone packer trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  665391337ffc4fe16d0a2a9b2380a3ed9f9ffcd3091404b79f986722f5be8104
- Size
  
  908KB
- MD5
  
  4c4583d027bdd1d41d7d58d2d476873a
- SHA1
  
  03448c69ec5735bdc0603389d52df46bc928e68d
- SHA256
  
  665391337ffc4fe16d0a2a9b2380a3ed9f9ffcd3091404b79f986722f5be8104
- SHA512
  
  cc6a392e2fb4b7934f36961cba7b031bed241914eb8a4821f223f708916effa00649cc37f7508621e69733400bb639d31d612b3b43dddf8ecf0c7a83769dfc37
Score

10^/10

gozi_rm3 202004141 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3202004141bankertrojan

behavioral2

gozi_rm3202004141bankertrojan