gozi_rm3 | 0c2fdd1cf54726053f476f0a622516296f74d05080cba267d299fe88aa95d96f | Triage

Sharing

General

Target

0c2fdd1cf54726053f476f0a622516296f74d05080cba267d299fe88aa95d96f
Size

619KB
Sample

220525-ahhxdscfg4
MD5

023633aabeaf85cacd110b117c8294ab
SHA1

78d1d0e1e2151c90e152c8ee7ea0b8677a26f332
SHA256

0c2fdd1cf54726053f476f0a622516296f74d05080cba267d299fe88aa95d96f
SHA512

57a89791e4feac8f909c30762a2c757a81ace876a2e9e1d0b07f266bf175b5899fcdae93afa0cbf0c78fdace0368cf6e7d5d060d3119fd55ae434ffb6584f505

Score

10^/10

gozi_rm3 90020242 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300900

Extracted

Family

gozi_rm3

Botnet

90020242

C2

https://vrhgroups.xyz

Attributes

build
300900
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  0c2fdd1cf54726053f476f0a622516296f74d05080cba267d299fe88aa95d96f
- Size
  
  619KB
- MD5
  
  023633aabeaf85cacd110b117c8294ab
- SHA1
  
  78d1d0e1e2151c90e152c8ee7ea0b8677a26f332
- SHA256
  
  0c2fdd1cf54726053f476f0a622516296f74d05080cba267d299fe88aa95d96f
- SHA512
  
  57a89791e4feac8f909c30762a2c757a81ace876a2e9e1d0b07f266bf175b5899fcdae93afa0cbf0c78fdace0368cf6e7d5d060d3119fd55ae434ffb6584f505
Score

10^/10

gozi_rm3 90020242 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm390020242bankertrojan

behavioral2

gozi_rm390020242bankertrojan