General
-
Target
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af
-
Size
430KB
-
Sample
221027-abzlkaabbp
-
MD5
8730820fabb55d15f327b8bca8ade887
-
SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3
-
SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af
-
SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034
-
SSDEEP
12288:/4SwXkbqJNiIeJY4kLm7lszLu0j4/VR7VXQfj:gSZ+TiIeJCLm7z4qVR7V
Malware Config
Extracted
gozi_ifsb
10008
jscallowallowallowjcli.me
disallowjscuserallow.pw
-
build
215801
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0x246640bb
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af
-
Size
430KB
-
MD5
8730820fabb55d15f327b8bca8ade887
-
SHA1
e20c2ec38086bfd9760925f055e13d286bdd0aa3
-
SHA256
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af
-
SHA512
dbe64932b5f7de98de9a7db1a127d5b3a13e595c556b86796de2c3857550b6f3ff3e061fc4b90d891c247b915d9c0fea85c07d9ee29cb8471decf2b81108e034
-
SSDEEP
12288:/4SwXkbqJNiIeJY4kLm7lszLu0j4/VR7VXQfj:gSZ+TiIeJCLm7z4qVR7V
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-