General
-
Target
fd7366a395e43967d6ba4ea9f37d738d6a39614d763f06b8cb8c0a18813969b1
-
Size
956KB
-
Sample
230129-wcvjwshc9x
-
MD5
20bb1dc6c41eae803e039abeec4fcba5
-
SHA1
3a1ea64b378333d8bedbb39bff50a4990a4ed094
-
SHA256
fd7366a395e43967d6ba4ea9f37d738d6a39614d763f06b8cb8c0a18813969b1
-
SHA512
ec3aba93a58df7b0a4a9c32e019b7c8861753f94ee55a24a43c3a2c60254210a280e53bf43685a4e7826276e46c45b88bf2981a711b7c1d379231535d9efe74e
-
SSDEEP
24576:mOrDG3wBlTQGKG7psOQhbwDk3lc+sv0cnVWezj8Q9gasYWenxvXf+k+7bff663qF:3q8lMGtpsOQhbwDYlc+svvWezoQ9gaPn
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://maiamirainy.at
http://drunt.at
http://news-deck.at
-
build
216098
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
fd7366a395e43967d6ba4ea9f37d738d6a39614d763f06b8cb8c0a18813969b1
-
Size
956KB
-
MD5
20bb1dc6c41eae803e039abeec4fcba5
-
SHA1
3a1ea64b378333d8bedbb39bff50a4990a4ed094
-
SHA256
fd7366a395e43967d6ba4ea9f37d738d6a39614d763f06b8cb8c0a18813969b1
-
SHA512
ec3aba93a58df7b0a4a9c32e019b7c8861753f94ee55a24a43c3a2c60254210a280e53bf43685a4e7826276e46c45b88bf2981a711b7c1d379231535d9efe74e
-
SSDEEP
24576:mOrDG3wBlTQGKG7psOQhbwDk3lc+sv0cnVWezj8Q9gasYWenxvXf+k+7bff663qF:3q8lMGtpsOQhbwDYlc+svvWezoQ9gaPn
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-