General
-
Target
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
-
Size
493KB
-
Sample
220620-vls7rahha9
-
MD5
853b89f711eb10ab73ee8e1ad2f6cb63
-
SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529
-
SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
-
SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
-
Size
493KB
-
MD5
853b89f711eb10ab73ee8e1ad2f6cb63
-
SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529
-
SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
-
SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-