General
-
Target
53917efc3f24d80ce1d144dd23295ec5e8498a0c5ee6e99acbdc648197640d6d
-
Size
264KB
-
Sample
220727-bcbfsscca9
-
MD5
3e1ca7a48da6b67a45ccfcb097076fa9
-
SHA1
7e24b958629d8ce31f7b82e2b7d76bd49775e77b
-
SHA256
53917efc3f24d80ce1d144dd23295ec5e8498a0c5ee6e99acbdc648197640d6d
-
SHA512
c068a5e69ea408c76b680508cbf5a0e2f98348e8ab6227d33455ba21bd27bba192ffc765a88f7d321da52cda28a02cbea76ce023fefeaabcf7ec50956732ad3b
Malware Config
Extracted
gozi_ifsb
2000
intro.tir001.at/rpc
doa.quappak.at/rpc
api.siperskon.at/rpc
io.tir001.at/rpc
ytruieowphf.bit/rpc
u2.ceelop.at/rpc
enter.nokartoon.at/rpc
api.nwq2000.at/rpc
cd.iqwoker.at/rpc
api.fin150.at/rpc
chat.loop1000.at/rpc
chat.iqwoker.at/rpc
mahono.cn/rpc
-
build
217061
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
192.71.245.208
8.8.8.8
178.17.170.179
82.196.9.45
151.80.222.79
68.183.70.217
217.144.135.7
158.69.160.164
207.148.83.241
5.189.170.196
217.144.132.148
94.247.43.254
188.165.200.156
159.89.249.249
150.249.149.222
-
exe_type
loader
-
server_id
150
Extracted
gozi_ifsb
-
build
217061
Targets
-
-
Target
53917efc3f24d80ce1d144dd23295ec5e8498a0c5ee6e99acbdc648197640d6d
-
Size
264KB
-
MD5
3e1ca7a48da6b67a45ccfcb097076fa9
-
SHA1
7e24b958629d8ce31f7b82e2b7d76bd49775e77b
-
SHA256
53917efc3f24d80ce1d144dd23295ec5e8498a0c5ee6e99acbdc648197640d6d
-
SHA512
c068a5e69ea408c76b680508cbf5a0e2f98348e8ab6227d33455ba21bd27bba192ffc765a88f7d321da52cda28a02cbea76ce023fefeaabcf7ec50956732ad3b
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Suspicious use of SetThreadContext
-