gozi_rm3 | 2e219d0b2ce2572be4cc11b81ed7e908d483ee7dc0ca28cb83f8109ce8a78cb6 | Triage

Sharing

General

Target

2e219d0b2ce2572be4cc11b81ed7e908d483ee7dc0ca28cb83f8109ce8a78cb6
Size

42KB
Sample

220622-n68plsdgfl
MD5

c962cbc49ce85c1d1068bb0fafc8995a
SHA1

148ccfe986159a1e46409921a105d52327289342
SHA256

2e219d0b2ce2572be4cc11b81ed7e908d483ee7dc0ca28cb83f8109ce8a78cb6
SHA512

20924beb9f16affa98fbe388fffcb28fcd710e00de5b9db4259fbabd49db849431523364f1eb451718cfbc12829a40f56eae0752f7ba0a5a78c088ce70e64191

Score

10^/10

gozi_rm3 1000 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300799

Extracted

Family

gozi_rm3

Botnet

1000

C2

y1.rexa.at

loop.rexa.at

Attributes

build
300799
exe_type
loader
server_id
350
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  2e219d0b2ce2572be4cc11b81ed7e908d483ee7dc0ca28cb83f8109ce8a78cb6
- Size
  
  42KB
- MD5
  
  c962cbc49ce85c1d1068bb0fafc8995a
- SHA1
  
  148ccfe986159a1e46409921a105d52327289342
- SHA256
  
  2e219d0b2ce2572be4cc11b81ed7e908d483ee7dc0ca28cb83f8109ce8a78cb6
- SHA512
  
  20924beb9f16affa98fbe388fffcb28fcd710e00de5b9db4259fbabd49db849431523364f1eb451718cfbc12829a40f56eae0752f7ba0a5a78c088ce70e64191
Score

10^/10

gozi_rm3 1000 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

gozi_rm31000bankertrojan