General
-
Target
7c35ac9b94a6e3cbcadf70b8c6d42c0a8385bb6b58953db4adec28e8eee8d120
-
Size
663KB
-
Sample
220731-fsxq7aafdj
-
MD5
7a4af18d561a31a156762b6cf01b981e
-
SHA1
f4222f6bc717d0f6280b53c58549e6633bd8c7bc
-
SHA256
7c35ac9b94a6e3cbcadf70b8c6d42c0a8385bb6b58953db4adec28e8eee8d120
-
SHA512
97c0d7977dfb218a5c31c12a358e45ca18423c11c59e38884b1de0c1feb86c34aa8e11272b9b5971998967630ba983538af0645f1bee4b5ab86f2f23e707a9a9
Malware Config
Extracted
gozi_ifsb
92
http://aaxvkah7dudzoloq.onion
http://mashallah.at
http://anumal-planet.at
-
build
217027
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
7c35ac9b94a6e3cbcadf70b8c6d42c0a8385bb6b58953db4adec28e8eee8d120
-
Size
663KB
-
MD5
7a4af18d561a31a156762b6cf01b981e
-
SHA1
f4222f6bc717d0f6280b53c58549e6633bd8c7bc
-
SHA256
7c35ac9b94a6e3cbcadf70b8c6d42c0a8385bb6b58953db4adec28e8eee8d120
-
SHA512
97c0d7977dfb218a5c31c12a358e45ca18423c11c59e38884b1de0c1feb86c34aa8e11272b9b5971998967630ba983538af0645f1bee4b5ab86f2f23e707a9a9
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-