General
-
Target
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
-
Size
1.1MB
-
Sample
230129-zytfhach94
-
MD5
3267b8df7235b5333b7ac00059273fc1
-
SHA1
fb722196edc83de5c147d1bef4eb676d0ff67543
-
SHA256
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
-
SHA512
7c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69pTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4K
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Targets
-
-
Target
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
-
Size
1.1MB
-
MD5
3267b8df7235b5333b7ac00059273fc1
-
SHA1
fb722196edc83de5c147d1bef4eb676d0ff67543
-
SHA256
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
-
SHA512
7c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69pTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4K
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-