General
-
Target
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea
-
Size
361KB
-
Sample
221128-elv4cadc55
-
MD5
0f4a6d7ab535e9354fde86800e3b3739
-
SHA1
76b1f3c52206aa92df7bfe9e0846a07adb700106
-
SHA256
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea
-
SHA512
444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60
-
SSDEEP
6144:4IVQv0y3NRJO22A8oos+W0OBMgxDy1+yAD20GvPYE8a:RVQvBNfORjVOB7xDQ1AD20GXYEZ
Malware Config
Extracted
gozi
Extracted
gozi
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea
-
Size
361KB
-
MD5
0f4a6d7ab535e9354fde86800e3b3739
-
SHA1
76b1f3c52206aa92df7bfe9e0846a07adb700106
-
SHA256
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea
-
SHA512
444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60
-
SSDEEP
6144:4IVQv0y3NRJO22A8oos+W0OBMgxDy1+yAD20GvPYE8a:RVQvBNfORjVOB7xDQ1AD20GXYEZ
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-