General
-
Target
details.06.21.doc
-
Size
45KB
-
Sample
210610-267spsyg7s
-
MD5
eb4ad3308c0c6623d8ac3093d7479f5a
-
SHA1
143a4095d8e736e19078391a922a3835803bd431
-
SHA256
a88169c57e59fdb8fd9127660b5a8c48cdc256ad18d843ab8971cc312171cf44
-
SHA512
679c40e8778ee66e6a2c06e81028fe463f97ddbaf45572ea1f0056154b3d414f0ccbe6cac11b926da7712370478e18e310ed0c94a755b17f13f819151688990c
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Targets
-
-
Target
details.06.21.doc
-
Size
45KB
-
MD5
eb4ad3308c0c6623d8ac3093d7479f5a
-
SHA1
143a4095d8e736e19078391a922a3835803bd431
-
SHA256
a88169c57e59fdb8fd9127660b5a8c48cdc256ad18d843ab8971cc312171cf44
-
SHA512
679c40e8778ee66e6a2c06e81028fe463f97ddbaf45572ea1f0056154b3d414f0ccbe6cac11b926da7712370478e18e310ed0c94a755b17f13f819151688990c
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-