Extracted

• • Target

    838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2

  • Size

    81KB

  • MD5

    648f447ef46ad487b37527f469df0010

  • SHA1

    65bc52c369003382def306c4556e38200f3c7b38

  • SHA256

    838eb7c04e0c1306403ece64cf100352d833d7c8440f3273e701f6478fbfeea2

  • SHA512

    5d0405455767f8ba932800465050cb7f670ded3b604694ea3ab3a0b6380064ad3bb4e1a1ef96f7771520524c5d410843fd94d03972f57c99b060781ef827bb70

  • SSDEEP

    1536:OBSXEetLkkvlOt86NnJsmxqpELT4qg8gwwpqvtd:OBSXEeFftOFNJTxqi+8gwjn

  Score

  10^/10

  gozi_ifsbnjrathacked by zr_exebankerevasionpersistencetrojan

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral1behavioral2