General
-
Target
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
-
Size
274KB
-
Sample
231007-j1msqscc45
-
MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec
-
SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12
-
SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
-
SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
-
SSDEEP
3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q
Malware Config
Extracted
gozi
Extracted
gozi
5050
mifrutty.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
http://igrovdow.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Targets
-
-
Target
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
-
Size
274KB
-
MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec
-
SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12
-
SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
-
SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
-
SSDEEP
3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-