General
-
Target
86850bbf046bc1c9c33efe881effd67af0a753890e7c833cc52fe10b14a19607
-
Size
1.2MB
-
Sample
220701-grpjvsfacm
-
MD5
61a6e9eb4e7fadde64147a6ff1a4859b
-
SHA1
65237daa32a2049b6cc09caa0080c9a089b639b7
-
SHA256
86850bbf046bc1c9c33efe881effd67af0a753890e7c833cc52fe10b14a19607
-
SHA512
dcb05784421123d1c7b7110446e932a5ac12dc98b0b27eb237b0694cf37e2af8d70a0e96ad9fc1e23a875e91d225316f2dd033ec94e7fb2ddcbc22de253db043
Malware Config
Extracted
gozi_ifsb
304
http://aaxvkah7dudzoloq.onion
http://tahhir.at
http://limpopo.at
http://estate-advice.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
86850bbf046bc1c9c33efe881effd67af0a753890e7c833cc52fe10b14a19607
-
Size
1.2MB
-
MD5
61a6e9eb4e7fadde64147a6ff1a4859b
-
SHA1
65237daa32a2049b6cc09caa0080c9a089b639b7
-
SHA256
86850bbf046bc1c9c33efe881effd67af0a753890e7c833cc52fe10b14a19607
-
SHA512
dcb05784421123d1c7b7110446e932a5ac12dc98b0b27eb237b0694cf37e2af8d70a0e96ad9fc1e23a875e91d225316f2dd033ec94e7fb2ddcbc22de253db043
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-