General
-
Target
certificate.06.21.doc
-
Size
50KB
-
Sample
210621-mqt74fyezj
-
MD5
778c7f21764d2fc338a5abfa2becfb35
-
SHA1
39dfa04561018e6dc4590bb6530ca2b2d5351183
-
SHA256
cc70447b7be5068a55ad34baa92ebd524a00e0a4a210b69fa16d4bf84f48e239
-
SHA512
2f3c868240b63c3e179006c9919e91f1330fc9e6bfc06e65d2484e2e10418d3dd3094c903747cfe5e2035b31850059c5bb046f8791554341fe29756b68fa8d6a
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Targets
-
-
Target
certificate.06.21.doc
-
Size
50KB
-
MD5
778c7f21764d2fc338a5abfa2becfb35
-
SHA1
39dfa04561018e6dc4590bb6530ca2b2d5351183
-
SHA256
cc70447b7be5068a55ad34baa92ebd524a00e0a4a210b69fa16d4bf84f48e239
-
SHA512
2f3c868240b63c3e179006c9919e91f1330fc9e6bfc06e65d2484e2e10418d3dd3094c903747cfe5e2035b31850059c5bb046f8791554341fe29756b68fa8d6a
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-