General
-
Target
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
-
Size
437KB
-
Sample
221027-aefmvsabd7
-
MD5
b5f35ddf66046061fe55935b2bb210c8
-
SHA1
1b0cc49bdbc8959938088747c048fc98b8386bad
-
SHA256
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
-
SHA512
a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265
-
SSDEEP
6144:nuU4My6j817/7TodFsGN858k31BSZW5lV3QfZ0SHKDGiRX8AeZ+oDsCgu77+YESv:nuuyt7jTodFzjUD5AfZ0cUGW8V6QcAHd
Malware Config
Extracted
gozi_ifsb
1001
-
build
215840
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
exe_type
worker
-
server_id
93
Targets
-
-
Target
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
-
Size
437KB
-
MD5
b5f35ddf66046061fe55935b2bb210c8
-
SHA1
1b0cc49bdbc8959938088747c048fc98b8386bad
-
SHA256
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
-
SHA512
a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265
-
SSDEEP
6144:nuU4My6j817/7TodFsGN858k31BSZW5lV3QfZ0SHKDGiRX8AeZ+oDsCgu77+YESv:nuuyt7jTodFzjUD5AfZ0cUGW8V6QcAHd
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-