General
-
Target
2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85
-
Size
388KB
-
Sample
220615-avpkpsgfe2
-
MD5
26cd3a038676f8e9cebf84a85dbe3668
-
SHA1
feda5aa1052e306db3a6a73904ea6046b228abe8
-
SHA256
2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85
-
SHA512
26b9b4e8f16e82aaea428d77afe92c0ab75cff6fb0bd848433b95e04b51f0da0799c0f48d1a4234ce15ccfa23b229860dda84f5155012bcf3955d0794cfb90ff
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85
-
Size
388KB
-
MD5
26cd3a038676f8e9cebf84a85dbe3668
-
SHA1
feda5aa1052e306db3a6a73904ea6046b228abe8
-
SHA256
2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85
-
SHA512
26b9b4e8f16e82aaea428d77afe92c0ab75cff6fb0bd848433b95e04b51f0da0799c0f48d1a4234ce15ccfa23b229860dda84f5155012bcf3955d0794cfb90ff
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-