General
-
Target
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
-
Size
302KB
-
Sample
221026-3wxa6aaag3
-
MD5
f870c0d62691fc39194922e4a59fdc1c
-
SHA1
69369a1aa35592ca4eede5179060f2c58e9bae6e
-
SHA256
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
-
SHA512
92a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae
-
SSDEEP
6144:qTBSsdUvHN91B8LdCCoVupEo5KdEBaxRxnxXOWFi2HAwsih5:oUJvHNnBGdpOupzEdEByxW2g
Malware Config
Extracted
gozi_ifsb
1010
sys.cwthecw.com/bcms/assets/img
sys.whyblacklivesmatter.org/bcms/assets/img
sys.mohitsagarmusic.com/bcms/assets/img
lansystemstat.com/bcms/assets/img
highnetwork.pw/bcms/assets/img
lostnetwork.in/bcms/assets/img
sysconnections.net/bcms/assets/img
lansupports.com/bcms/assets/img
-
exe_type
worker
-
server_id
35
Targets
-
-
Target
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
-
Size
302KB
-
MD5
f870c0d62691fc39194922e4a59fdc1c
-
SHA1
69369a1aa35592ca4eede5179060f2c58e9bae6e
-
SHA256
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
-
SHA512
92a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae
-
SSDEEP
6144:qTBSsdUvHN91B8LdCCoVupEo5KdEBaxRxnxXOWFi2HAwsih5:oUJvHNnBGdpOupzEdEByxW2g
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-