gozi_rm3 | a29aacc628b82c6818aa1c02502381a7725dd0ed2573ee3282c936839298b257 | Triage

Sharing

General

Target

a29aacc628b82c6818aa1c02502381a7725dd0ed2573ee3282c936839298b257
Size

908KB
Sample

220525-cf2mtsbddn
MD5

2ae6c0be540b8d633c7c5558d32854af
SHA1

3998b03acdff21c1a0a7d3b1330f42e0e47a6c8f
SHA256

a29aacc628b82c6818aa1c02502381a7725dd0ed2573ee3282c936839298b257
SHA512

843d3f10daa2c4bc8afb1adc682d4429a6daa6982c46151ebdcb39733ba5b6a94cf13a73bebcd9f694b58ab3a133df7764df8e2611ddace338c6ac1e19e1f65c

Score

10^/10

gozi_rm3 202004141 banker cryptone packer trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  a29aacc628b82c6818aa1c02502381a7725dd0ed2573ee3282c936839298b257
- Size
  
  908KB
- MD5
  
  2ae6c0be540b8d633c7c5558d32854af
- SHA1
  
  3998b03acdff21c1a0a7d3b1330f42e0e47a6c8f
- SHA256
  
  a29aacc628b82c6818aa1c02502381a7725dd0ed2573ee3282c936839298b257
- SHA512
  
  843d3f10daa2c4bc8afb1adc682d4429a6daa6982c46151ebdcb39733ba5b6a94cf13a73bebcd9f694b58ab3a133df7764df8e2611ddace338c6ac1e19e1f65c
Score

10^/10

gozi_rm3 202004141 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3202004141bankertrojan

behavioral2

gozi_rm3202004141bankertrojan