gozi_rm3 | bc2c2a4b1ffb52f227181d825d960ecceda3b085271cda93db1c15ca709c6d61 | Triage

Sharing

General

Target

bc2c2a4b1ffb52f227181d825d960ecceda3b085271cda93db1c15ca709c6d61
Size

619KB
Sample

220525-b2w4ssaebn
MD5

565809de29b3f8d16a5b28fa88306dd4
SHA1

3c06ddb7bc8b566a3eb61f8479680e874ee0fe51
SHA256

bc2c2a4b1ffb52f227181d825d960ecceda3b085271cda93db1c15ca709c6d61
SHA512

df87f63f6784188304436f3e0b5f019f6fe8d95cc152d09e66f6b82a911922b89bcc7c0e68dcc86b72b12ae35447d6d8561c263f9b00a29f9d698128401cb383

Score

10^/10

gozi_rm3 90020242 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300900

Extracted

Family

gozi_rm3

Botnet

90020242

C2

https://vrhgroups.xyz

Attributes

build
300900
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  bc2c2a4b1ffb52f227181d825d960ecceda3b085271cda93db1c15ca709c6d61
- Size
  
  619KB
- MD5
  
  565809de29b3f8d16a5b28fa88306dd4
- SHA1
  
  3c06ddb7bc8b566a3eb61f8479680e874ee0fe51
- SHA256
  
  bc2c2a4b1ffb52f227181d825d960ecceda3b085271cda93db1c15ca709c6d61
- SHA512
  
  df87f63f6784188304436f3e0b5f019f6fe8d95cc152d09e66f6b82a911922b89bcc7c0e68dcc86b72b12ae35447d6d8561c263f9b00a29f9d698128401cb383
Score

10^/10

gozi_rm3 90020242 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm390020242bankertrojan

behavioral2

gozi_rm390020242bankertrojan