General
-
Target
2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
-
Size
494KB
-
Sample
220802-yzpchaafe6
-
MD5
0f2be4fe0362766dcf339d4c03326bc4
-
SHA1
69e26e9e75e8a8359d232d8e14318b9235e1a828
-
SHA256
2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
-
SHA512
8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150
Malware Config
Extracted
gozi_ifsb
11111
trackingg-protectioon.cdn1.mozilla.net
194.76.225.168
194.76.224.242
-
base_path
/fonts/
-
build
250240
-
exe_type
loader
-
extension
.bak
-
server_id
50
Targets
-
-
Target
2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
-
Size
494KB
-
MD5
0f2be4fe0362766dcf339d4c03326bc4
-
SHA1
69e26e9e75e8a8359d232d8e14318b9235e1a828
-
SHA256
2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
-
SHA512
8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-