gozi_rm3 | e8bd007130fe0466959efa321f20227e28aad4cf901558561c1da8d98d21e7ed | Triage

Sharing

General

Target

e8bd007130fe0466959efa321f20227e28aad4cf901558561c1da8d98d21e7ed
Size

908KB
Sample

220524-s8ddpsgdg6
MD5

6c1889d45866d7570cb99a5a38e5e280
SHA1

7cd7ee7204b948182f9cf3bd31ba84ab017661f3
SHA256

e8bd007130fe0466959efa321f20227e28aad4cf901558561c1da8d98d21e7ed
SHA512

42f4ea90e8892d7dc0664be3fe2cb29d3e864eef0fdda18536962ed951a3c5295b34787f9b5dd73c9e69123e5a7a75fa8ce1891d3cec030ff5618e3773a61abd

Score

10^/10

gozi_rm3 202004141 banker cryptone packer trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  e8bd007130fe0466959efa321f20227e28aad4cf901558561c1da8d98d21e7ed
- Size
  
  908KB
- MD5
  
  6c1889d45866d7570cb99a5a38e5e280
- SHA1
  
  7cd7ee7204b948182f9cf3bd31ba84ab017661f3
- SHA256
  
  e8bd007130fe0466959efa321f20227e28aad4cf901558561c1da8d98d21e7ed
- SHA512
  
  42f4ea90e8892d7dc0664be3fe2cb29d3e864eef0fdda18536962ed951a3c5295b34787f9b5dd73c9e69123e5a7a75fa8ce1891d3cec030ff5618e3773a61abd
Score

10^/10

gozi_rm3 202004141 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3202004141bankertrojan

behavioral2