General
-
Target
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
-
Size
388KB
-
Sample
220616-ee75bsafbq
-
MD5
6f53973fc74e45dfd268d788875213cd
-
SHA1
8d9650b42290b5d41e15eea0d6a6ffac5f8ec6d7
-
SHA256
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
-
SHA512
21b18db60020b449d211d9c233d04387be19f9b0730c1cb49f6d4e5f4c8ce5b92ca8e311b490731b78299add07dce0c80c7fe56341cf4072e2c1332076b812a5
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
-
Size
388KB
-
MD5
6f53973fc74e45dfd268d788875213cd
-
SHA1
8d9650b42290b5d41e15eea0d6a6ffac5f8ec6d7
-
SHA256
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
-
SHA512
21b18db60020b449d211d9c233d04387be19f9b0730c1cb49f6d4e5f4c8ce5b92ca8e311b490731b78299add07dce0c80c7fe56341cf4072e2c1332076b812a5
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-