General
-
Target
1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85
-
Size
274KB
-
Sample
221029-sdmznacdcp
-
MD5
e4887286f3e2d429ad5656e609a0a10e
-
SHA1
1b1cdcc60d9f5d0e871b4aa9827c77f5ad871e68
-
SHA256
1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85
-
SHA512
57cd8cb009a095e6d94ea16a28602428aa37bcff78cd8835afb2310cfeded84f0a021786e99dbc0f55425dd7c739a4d760ad20b1c887b698dcafbb37ea4fcb6a
-
SSDEEP
3072:rA3U3itVPvf2br58lNKlyExkBd0+lpsHcoAYwdPlHVuIXKDlbtT8NS0Y/ONlVv4h:ZiVX+5WQl1+lpEdA7F0pik0zPgk
Malware Config
Extracted
gozi
Extracted
gozi
1010
sys.naturallymewraps.com/geodata/version/ip2ext
nan.bocalee.com/geodata/version/ip2ext
sys.aronzvi.com/geodata/version/ip2ext
lan.hayloindigo.com/geodata/version/ip2ext
lansystemstat.com/geodata/version/ip2ext
highnetwork.pw/geodata/version/ip2ext
lostnetwork.in/geodata/version/ip2ext
sysconnections.net/geodata/version/ip2ext
lansupports.com/geodata/version/ip2ext
-
build
212578
-
exe_type
worker
-
server_id
30
Targets
-
-
Target
1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85
-
Size
274KB
-
MD5
e4887286f3e2d429ad5656e609a0a10e
-
SHA1
1b1cdcc60d9f5d0e871b4aa9827c77f5ad871e68
-
SHA256
1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85
-
SHA512
57cd8cb009a095e6d94ea16a28602428aa37bcff78cd8835afb2310cfeded84f0a021786e99dbc0f55425dd7c739a4d760ad20b1c887b698dcafbb37ea4fcb6a
-
SSDEEP
3072:rA3U3itVPvf2br58lNKlyExkBd0+lpsHcoAYwdPlHVuIXKDlbtT8NS0Y/ONlVv4h:ZiVX+5WQl1+lpEdA7F0pik0zPgk
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-