General
-
Target
putty.exe
-
Size
292KB
-
Sample
231007-a4m38sge9v
-
MD5
33ddb8880db29cac11e05bfc30bcec6b
-
SHA1
fb90dc44ba4b8f6b356735bd46231e6f99e15b62
-
SHA256
1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea
-
SHA512
b99e8ac3be923ea8eb21967595f93bef903b9719300045862dca54bf64b709f7c10e536d8407fa07da67e89245ffa15f9608531700a668b84d0a3a8383f51e0f
-
SSDEEP
3072:/yktbYYNGzHPg2I1eWy9O9El/pjBXDzrFEd1Uot:K4YIGz4ToTHl9BXz6Uo
Malware Config
Extracted
gozi
Extracted
gozi
5050
mifrutty.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
http://igrovdow.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Targets
-
-
Target
putty.exe
-
Size
292KB
-
MD5
33ddb8880db29cac11e05bfc30bcec6b
-
SHA1
fb90dc44ba4b8f6b356735bd46231e6f99e15b62
-
SHA256
1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea
-
SHA512
b99e8ac3be923ea8eb21967595f93bef903b9719300045862dca54bf64b709f7c10e536d8407fa07da67e89245ffa15f9608531700a668b84d0a3a8383f51e0f
-
SSDEEP
3072:/yktbYYNGzHPg2I1eWy9O9El/pjBXDzrFEd1Uot:K4YIGz4ToTHl9BXz6Uo
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-