General
-
Target
request.zip
-
Size
53KB
-
Sample
210621-hg2q2a3nhn
-
MD5
13864014c18f6e552cdaf93e528196a7
-
SHA1
571d5061aa2409b0faaff3fcdc26602d9e2d4dda
-
SHA256
c4e3fd4bec97eab33175137a64ff9f87d417b3746fbaa431a43d202e96fa6739
-
SHA512
0174d80bbd51b9b0f1913560009120c05af7105eb2255357bd33b251082170cbb166e7dbf6ca916f9b96f07c2a013849eaaae379e70e6123e622e678b168b097
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Targets
-
-
Target
dictate 06.21.doc
-
Size
49KB
-
MD5
2778650cf580fcab0d721d41ead80517
-
SHA1
9464966e79017b77400fd5ea0dd5f1a324cc61bd
-
SHA256
f2040360f616328b604f250435c203f28ed71cae425e730f1d1106dc4e00b1e1
-
SHA512
3f7c1d8b96e4d42213c7b9dc756a75b7a1578814933d7975192797e384b55feaeb8bb51241fbfaa25e5111b4f2c6169c056563c1272449cb7b2ed1d8c2909c8e
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-