gozi_rm3 | 2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb | Triage

Sharing

General

Target

2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb
Size

216KB
Sample

220615-btfrvaafd4
MD5

cff9274db1f4113dc918a308855591b0
SHA1

263295f3a14ca098b72ed53095a01555d17dcd66
SHA256

2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb
SHA512

49597e5ce8d7f5c6b4a2850f96f3c6eba3b95cb390ec3ecf75722ccff35a0f89668f5ee87ff996de2fd8f61414e7224e66d974abf01a415596420ddccb6459be

Score

10^/10

gozi_rm3 2000 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300768

Extracted

Family

gozi_rm3

Botnet

2000

C2

cdn5.inmax.at

u2.inmax.at

api.fiho.at

t2.fiho.at

Attributes

build
300768
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
350
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb
- Size
  
  216KB
- MD5
  
  cff9274db1f4113dc918a308855591b0
- SHA1
  
  263295f3a14ca098b72ed53095a01555d17dcd66
- SHA256
  
  2ba6ac3fcd1d3784d5ff276205d84327f20e60a6e96f5bc21db7f0c36c5c16bb
- SHA512
  
  49597e5ce8d7f5c6b4a2850f96f3c6eba3b95cb390ec3ecf75722ccff35a0f89668f5ee87ff996de2fd8f61414e7224e66d974abf01a415596420ddccb6459be
Score

10^/10

gozi_rm3 2000 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

gozi_rm32000bankertrojan

behavioral2

gozi_rm32000bankertrojan