Extracted

• • Target

    056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

  • Size

    350KB

  • MD5

    3f65f241981377c60c4f96e43f2925c3

  • SHA1

    6f11358676bc96c1062858739904f955996906f4

  • SHA256

    056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

  • SHA512

    a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

  • SSDEEP

    6144:n5gNwmDoctwXekY4no0zbbRzpBwmZm+72dCMKB7QNk3VcXaO:kknXekNoYJzLids7Ak3VEN

  Score

  10^/10

  gozi_ifsb1000bankerevasionpersistencetrojan

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb

  • Windows security bypass

    evasiontrojan

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2