gozi_rm3 | ef34b6671447483cf5d7138f84d6d7cec9eb5cc5b225d98f0cc08cfcbf115121 | Triage

Sharing

General

Target

ef34b6671447483cf5d7138f84d6d7cec9eb5cc5b225d98f0cc08cfcbf115121
Size

142KB
Sample

220525-ct9klabhan
MD5

f207e4a2f190abbcec69a4461c43e4a7
SHA1

c6500264a23ac088bd5a4c13c645be962d1d6c2b
SHA256

ef34b6671447483cf5d7138f84d6d7cec9eb5cc5b225d98f0cc08cfcbf115121
SHA512

77b4dd1db955a217e77b311c50e1211e46884c7c1c02cc533743f5200365232c684e1f0b9e6bb4113ed4a99c74e6a5c27054f78e4d5e8a5f93b06485feec8e10

Score

10^/10

gozi_rm3 202003312 banker cryptone packer trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202003312

C2

https://daycareforyou.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  ef34b6671447483cf5d7138f84d6d7cec9eb5cc5b225d98f0cc08cfcbf115121
- Size
  
  142KB
- MD5
  
  f207e4a2f190abbcec69a4461c43e4a7
- SHA1
  
  c6500264a23ac088bd5a4c13c645be962d1d6c2b
- SHA256
  
  ef34b6671447483cf5d7138f84d6d7cec9eb5cc5b225d98f0cc08cfcbf115121
- SHA512
  
  77b4dd1db955a217e77b311c50e1211e46884c7c1c02cc533743f5200365232c684e1f0b9e6bb4113ed4a99c74e6a5c27054f78e4d5e8a5f93b06485feec8e10
Score

10^/10

gozi_rm3 202003312 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_rm3202003312bankertrojan

behavioral2

gozi_rm3202003312bankertrojan