gozi_rm3 | 9f3cc8765a811b9f58feaccca366bb1bdb0d74b23c71567bc351b0633baa69c9 | Triage

Sharing

General

Target

9f3cc8765a811b9f58feaccca366bb1bdb0d74b23c71567bc351b0633baa69c9
Size

908KB
Sample

220525-aw8pzadcc2
MD5

6630d4f7353364157e589da1e7198280
SHA1

9893d5762407385ec98b6380ec2ec86f9273b773
SHA256

9f3cc8765a811b9f58feaccca366bb1bdb0d74b23c71567bc351b0633baa69c9
SHA512

c54bb4f0d7d81c208ae1d4c65fb8afc205c35ebf62b906c36b233e33e7f4f6c83c08942d712a28446faa570d2f3cd597719a3dd6da72bbafab3884491e465473

Score

10^/10

gozi_rm3 202004141 banker cryptone packer trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  9f3cc8765a811b9f58feaccca366bb1bdb0d74b23c71567bc351b0633baa69c9
- Size
  
  908KB
- MD5
  
  6630d4f7353364157e589da1e7198280
- SHA1
  
  9893d5762407385ec98b6380ec2ec86f9273b773
- SHA256
  
  9f3cc8765a811b9f58feaccca366bb1bdb0d74b23c71567bc351b0633baa69c9
- SHA512
  
  c54bb4f0d7d81c208ae1d4c65fb8afc205c35ebf62b906c36b233e33e7f4f6c83c08942d712a28446faa570d2f3cd597719a3dd6da72bbafab3884491e465473
Score

10^/10

gozi_rm3 202004141 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3202004141bankertrojan

behavioral2

gozi_rm3202004141bankertrojan