gozi_ifsb | ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3

Analysis

Target

ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3.exe
Size

213KB
MD5

dff480cd23f848f857536e74007a4d15
SHA1

e5812cb089df331d5904173b8fb632de04d0994c
SHA256

ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3
SHA512

5fd4221823d82f207cb92998170fe82889a7a1616ecd3a6feb29dac6a297512cfb8678accbd92f68648191bf9042c57964fddebbfd51c79e136ca7998c6ef1d2

Score

10^/10

Family

gozi_ifsb

Botnet

2000

foo.fulldin.at/webstore

bat.fulldin.at/webstore

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
dns_servers
193.183.98.66
89.40.116.230
94.247.43.254
195.10.195.195
8.8.8.8
exe_type
loader
server_id
550

rsa_pubkey.plain

serpent.plain

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 193.183.98.66
Destination IP 89.40.116.230
Destination IP 94.247.43.254
Destination IP 195.10.195.195

C:\Users\Admin\AppData\Local\Temp\ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3.exe
"C:\Users\Admin\AppData\Local\Temp\ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3.exe"
1⤵
PID:624

memory/624-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/624-55-0x0000000000280000-0x000000000028F000-memory.dmp

Filesize
60KB

Download
memory/624-61-0x0000000000EF0000-0x0000000000EFB000-memory.dmp

Filesize
44KB

Download
memory/624-62-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/624-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download