General
-
Target
a618ce04df8c9195874e13e3edb99327968633b1331c8f65be07b077e134fa8c
-
Size
956KB
-
Sample
230129-wc3khafh77
-
MD5
3c4aadeaf32a98db87da7aa67356975e
-
SHA1
43b8729872b46d625f31b4e834cb1d34b826ab43
-
SHA256
a618ce04df8c9195874e13e3edb99327968633b1331c8f65be07b077e134fa8c
-
SHA512
76ff531949d7346b9c7efd75821548542419a6d0ec5096ebcc58414f27f985de7d59f24aa30816d8da06060c226538f881c3ff6472b8535c3af4115f985bfecd
-
SSDEEP
24576:mOrDG3wBlTQGKG7psOQhbwDk3lc+sv0cnVWezj8Q9gasYWenxvXf+k+7bff663qE:3q8lMGtpsOQhbwDYlc+svvWezoQ9gaPS
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://maiamirainy.at
http://drunt.at
http://news-deck.at
-
build
216098
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
a618ce04df8c9195874e13e3edb99327968633b1331c8f65be07b077e134fa8c
-
Size
956KB
-
MD5
3c4aadeaf32a98db87da7aa67356975e
-
SHA1
43b8729872b46d625f31b4e834cb1d34b826ab43
-
SHA256
a618ce04df8c9195874e13e3edb99327968633b1331c8f65be07b077e134fa8c
-
SHA512
76ff531949d7346b9c7efd75821548542419a6d0ec5096ebcc58414f27f985de7d59f24aa30816d8da06060c226538f881c3ff6472b8535c3af4115f985bfecd
-
SSDEEP
24576:mOrDG3wBlTQGKG7psOQhbwDk3lc+sv0cnVWezj8Q9gasYWenxvXf+k+7bff663qE:3q8lMGtpsOQhbwDYlc+svvWezoQ9gaPS
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-