General
-
Target
dettare-04.22.2021.doc
-
Size
170KB
-
Sample
210422-xgwhzf5ycx
-
MD5
7a505b0a54691e03015e62dc1424bae9
-
SHA1
c723379191e2b61e00e78e93531a78aea7a4167f
-
SHA256
ef9ce000152d2e164a2ad8b13e427d95c8bf6570f244d837ac969c1548f41e71
-
SHA512
8519d6ac872f23b45aac4f848b64a37a7b62452e3effd471466e36a9831043e7e6468c2bbf3e42111fc7f87dbab1a76341effc5b308704a0028689e9a4ecf1cb
Malware Config
Extracted
gozi_ifsb
4460
1.microsoft.com
horulenuke.us
vorulenuke.us
-
build
250190
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
Targets
-
-
Target
dettare-04.22.2021.doc
-
Size
170KB
-
MD5
7a505b0a54691e03015e62dc1424bae9
-
SHA1
c723379191e2b61e00e78e93531a78aea7a4167f
-
SHA256
ef9ce000152d2e164a2ad8b13e427d95c8bf6570f244d837ac969c1548f41e71
-
SHA512
8519d6ac872f23b45aac4f848b64a37a7b62452e3effd471466e36a9831043e7e6468c2bbf3e42111fc7f87dbab1a76341effc5b308704a0028689e9a4ecf1cb
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-