General
-
Target
17111b025ecfe5977ab52df9d25b922e19e88ba5b9a8d3c37703a6a5951a9b01
-
Size
402KB
-
Sample
220608-14jzpabgaq
-
MD5
001152a12cd7920eea057748954837dc
-
SHA1
2793f1d16014c394ba056d91622fde7e7bb8d3ae
-
SHA256
17111b025ecfe5977ab52df9d25b922e19e88ba5b9a8d3c37703a6a5951a9b01
-
SHA512
3223a8c953d1075db34947c5af0b7f38f01a29787ae653b2ddde1194670c5d31b45156150ac6b597077135990e36cb0096a8c9e6d53c5d1facd1739c6e4e3510
Malware Config
Extracted
gozi_ifsb
-
build
214734
Extracted
gozi_ifsb
1100
restnatauses.at/zpvp/gtr02po/krp3cmg
outaplaceshave.cn/zpvp/gtr02po/krp3cmg
voleroid.at/zpvp/gtr02po/krp3cmg
letaformerrightru.su/zpvp/gtr02po/krp3cmg
andlegislature.at/zpvp/gtr02po/krp3cmg
volhood.at/zpvp/gtr02po/krp3cmg
vopiolek.at/zpvp/gtr02po/krp3cmg
withtrestersare.at/zpvp/gtr02po/krp3cmg
hothegivforsuffer.cn/zpvp/gtr02po/krp3cmg
volaerop.at/zpvp/gtr02po/krp3cmg
justiceseasfriends.cn/zpvp/gtr02po/krp3cmg
moonjoehon.at/zpvp/gtr02po/krp3cmg
endeavsunless.at/zpvp/gtr02po/krp3cmg
trepeatedandequal.cn/zpvp/gtr02po/krp3cmg
theindependence.su/zpvp/gtr02po/krp3cmg
creatortherefore.cn/zpvp/gtr02po/krp3cmg
-
build
214734
-
exe_type
worker
-
server_id
110
Targets
-
-
Target
17111b025ecfe5977ab52df9d25b922e19e88ba5b9a8d3c37703a6a5951a9b01
-
Size
402KB
-
MD5
001152a12cd7920eea057748954837dc
-
SHA1
2793f1d16014c394ba056d91622fde7e7bb8d3ae
-
SHA256
17111b025ecfe5977ab52df9d25b922e19e88ba5b9a8d3c37703a6a5951a9b01
-
SHA512
3223a8c953d1075db34947c5af0b7f38f01a29787ae653b2ddde1194670c5d31b45156150ac6b597077135990e36cb0096a8c9e6d53c5d1facd1739c6e4e3510
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-