General
-
Target
6329b3a546054tiff.dll
-
Size
511KB
-
Sample
220920-qc8tmageem
-
MD5
dbe0888d7edb236b38d0dcfd33dd0a06
-
SHA1
f53a59741ddc982af5b77bd77ab99f74e9b33948
-
SHA256
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
-
SHA512
b893e59fb0cf5db3ae076798849e467b239c7be30917cff40b5df6d5f9feadb50e90ba728ea9955f628c27e519c407f5b7c4b12eba002064387846e7662e2473
-
SSDEEP
6144:yTZBx+7jsPTl/N80J849j3si2Hw2Kfl0OA5P1rh/YwOnhu58jT7FWQ+ICBFQ5jyy:YZP+7jsZS0r59Qw3RxjkeP
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
89.41.26.99
89.45.4.102
interstarts.top
superlist.top
internetcoca.in
-
base_path
/drew/
-
build
250246
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi_ifsb
3000
interliner.top
interlinel.top
superliner.top
superlinez.top
internetlined.com
internetlines.in
medialists.su
medialists.ru
mediawagi.info
mediawagi.ru
89.41.26.90
89.41.26.93
denterdrigx.com
digserchx.at
-
base_path
/images/
-
build
250246
-
exe_type
worker
-
extension
.jlk
-
server_id
50
Targets
-
-
Target
6329b3a546054tiff.dll
-
Size
511KB
-
MD5
dbe0888d7edb236b38d0dcfd33dd0a06
-
SHA1
f53a59741ddc982af5b77bd77ab99f74e9b33948
-
SHA256
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
-
SHA512
b893e59fb0cf5db3ae076798849e467b239c7be30917cff40b5df6d5f9feadb50e90ba728ea9955f628c27e519c407f5b7c4b12eba002064387846e7662e2473
-
SSDEEP
6144:yTZBx+7jsPTl/N80J849j3si2Hw2Kfl0OA5P1rh/YwOnhu58jT7FWQ+ICBFQ5jyy:YZP+7jsZS0r59Qw3RxjkeP
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-