General
-
Target
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
-
Size
361KB
-
Sample
220615-fd8vxahfe5
-
MD5
89fcd562f34d2b8aac582c852c85b2ae
-
SHA1
bf816e7b9be16330f8fd74585ba81821d5b76626
-
SHA256
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
-
SHA512
83b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
-
Size
361KB
-
MD5
89fcd562f34d2b8aac582c852c85b2ae
-
SHA1
bf816e7b9be16330f8fd74585ba81821d5b76626
-
SHA256
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
-
SHA512
83b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-