General
-
Target
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff
-
Size
503KB
-
Sample
221027-aeeessabd4
-
MD5
60238ebad1c44bf159c2eba25f3c4ca6
-
SHA1
8ee071c4e55bbc7ac2fcfa1779307b2e19f1e9d0
-
SHA256
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff
-
SHA512
f209749ed5d7e6a189fcd4efc31b4eb2a462d6d7654b23101d0e2aad73a6d812cdf5a38840eb2a0309061b066d4a853f1e649f6ba35db0dac09e42d650302945
-
SSDEEP
12288:mqE2NJWh/VScyFi9VJqgqrSyXNTTkiYfwtfYNh:k00dUi9SgLwdYfwt
Malware Config
Extracted
gozi_ifsb
3000
romaya.ru
matashka.ru
matashka399.ru
-
build
200000
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff
-
Size
503KB
-
MD5
60238ebad1c44bf159c2eba25f3c4ca6
-
SHA1
8ee071c4e55bbc7ac2fcfa1779307b2e19f1e9d0
-
SHA256
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff
-
SHA512
f209749ed5d7e6a189fcd4efc31b4eb2a462d6d7654b23101d0e2aad73a6d812cdf5a38840eb2a0309061b066d4a853f1e649f6ba35db0dac09e42d650302945
-
SSDEEP
12288:mqE2NJWh/VScyFi9VJqgqrSyXNTTkiYfwtfYNh:k00dUi9SgLwdYfwt
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-