General
-
Target
3b9b5d86958aa8f41e37d13e520960bded75e54edea49a95e781b084f01f083b
-
Size
828KB
-
Sample
230129-wbtafafh44
-
MD5
8cf82a12af3f7d587e53a3fbca32137a
-
SHA1
414fd5b46a7750d556e004e76639b76936b9bf8b
-
SHA256
3b9b5d86958aa8f41e37d13e520960bded75e54edea49a95e781b084f01f083b
-
SHA512
22a8108d1d87a1fbf6e4e1654c99fab3c41239458c62164ac405503b26112b3df062730a4be5e61b3d95f8a0fd087da4e8c4d159f07a78ae9c167b9d16e4f0ff
-
SSDEEP
12288:+i50AfzexzpLMBL5ptl+6QVtQVagLMKlablkiVawo+N9e8+K//uE:1NRBHtlamXLMKxiPn7eMD
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://maiamirainy.at
http://drunt.at
-
build
216098
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
3b9b5d86958aa8f41e37d13e520960bded75e54edea49a95e781b084f01f083b
-
Size
828KB
-
MD5
8cf82a12af3f7d587e53a3fbca32137a
-
SHA1
414fd5b46a7750d556e004e76639b76936b9bf8b
-
SHA256
3b9b5d86958aa8f41e37d13e520960bded75e54edea49a95e781b084f01f083b
-
SHA512
22a8108d1d87a1fbf6e4e1654c99fab3c41239458c62164ac405503b26112b3df062730a4be5e61b3d95f8a0fd087da4e8c4d159f07a78ae9c167b9d16e4f0ff
-
SSDEEP
12288:+i50AfzexzpLMBL5ptl+6QVtQVagLMKlablkiVawo+N9e8+K//uE:1NRBHtlamXLMKxiPn7eMD
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-