General
-
Target
5f233a7900a3429f76b01c2768e6e6a1123f270716a5150e71caa2d7ce0c9e34
-
Size
822KB
-
Sample
230129-wcsejafh69
-
MD5
40820b8392d26c36d924fe4875eb7854
-
SHA1
2b18be55269aa80e50701f2a4843616425b2e752
-
SHA256
5f233a7900a3429f76b01c2768e6e6a1123f270716a5150e71caa2d7ce0c9e34
-
SHA512
2d0c9df5b46b468853d7f2b001adf48516bfcb20dfec2b5395006310f11b47425bb77c1c36d21aeb98f465482a03327d3f71a0f64c6cea9a329e85703d8c0a42
-
SSDEEP
12288:R4M/vPufq2ORdooOdSgWrdDoXiglWjw9SAcqP2W5OEhuAwc84b2mzd5x6dlGN5:RP3RdNhgWpo3UmSSIOKm2mR5xWwN5
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://news-deck.at
http://taslks.at
http://living-start.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
5f233a7900a3429f76b01c2768e6e6a1123f270716a5150e71caa2d7ce0c9e34
-
Size
822KB
-
MD5
40820b8392d26c36d924fe4875eb7854
-
SHA1
2b18be55269aa80e50701f2a4843616425b2e752
-
SHA256
5f233a7900a3429f76b01c2768e6e6a1123f270716a5150e71caa2d7ce0c9e34
-
SHA512
2d0c9df5b46b468853d7f2b001adf48516bfcb20dfec2b5395006310f11b47425bb77c1c36d21aeb98f465482a03327d3f71a0f64c6cea9a329e85703d8c0a42
-
SSDEEP
12288:R4M/vPufq2ORdooOdSgWrdDoXiglWjw9SAcqP2W5OEhuAwc84b2mzd5x6dlGN5:RP3RdNhgWpo3UmSSIOKm2mR5xWwN5
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-