General
-
Target
a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700
-
Size
430KB
-
Sample
221107-twfhzahhar
-
MD5
fcf5c2e8baafde4f0d4334aec04009a4
-
SHA1
7c14de6dcfa2f34966b97a49093eb91c1bc1c7fd
-
SHA256
a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700
-
SHA512
de955f8b2c76e0f93bfd5a2b68a5509be69c68ed2256ab76a57b2a1838e5306b5fb3d641e736d3037a7c4db69cb66296dcff4a7766f483fdea94392086d8447d
-
SSDEEP
6144:8QsE6W/19evWMzL3Lt6b21mc4PdLXEeLw6o:83E6k19eDHLtqPc4VzEey
Malware Config
Extracted
gozi
Extracted
gozi
1010
nan.bocalee.com/geodata/version/ip2ext
sys.aronzvi.com/geodata/version/ip2ext
lan.hayloindigo.com/geodata/version/ip2ext
sys.jacentacobb.com/geodata/version/ip2ext
lansystemstat.com/geodata/version/ip2ext
highnetwork.pw/geodata/version/ip2ext
lostnetwork.in/geodata/version/ip2ext
sysconnections.net/geodata/version/ip2ext
lansupports.com/geodata/version/ip2ext
-
build
212578
-
exe_type
worker
-
server_id
30
Targets
-
-
Target
a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700
-
Size
430KB
-
MD5
fcf5c2e8baafde4f0d4334aec04009a4
-
SHA1
7c14de6dcfa2f34966b97a49093eb91c1bc1c7fd
-
SHA256
a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700
-
SHA512
de955f8b2c76e0f93bfd5a2b68a5509be69c68ed2256ab76a57b2a1838e5306b5fb3d641e736d3037a7c4db69cb66296dcff4a7766f483fdea94392086d8447d
-
SSDEEP
6144:8QsE6W/19evWMzL3Lt6b21mc4PdLXEeLw6o:83E6k19eDHLtqPc4VzEey
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies Installed Components in the registry
-
Deletes itself
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-