General
-
Target
NEAS.28d9423364dd6a924b7fb770b4dbd13d0e7e0eb704c310d2b2bbd75073d8a103zip_JC.zip
-
Size
159KB
-
Sample
231013-r6blnace27
-
MD5
b1b2f3954d0f30e056f5389f40ddb966
-
SHA1
5c8617747edfccb20372972fb58aab7cf3e80fec
-
SHA256
28d9423364dd6a924b7fb770b4dbd13d0e7e0eb704c310d2b2bbd75073d8a103
-
SHA512
37261ecbaee78f88606a675af12e77bdddf5d39a71ac288059f15cd162e3e1753f8a818187fc628c825b69340abd408a33132f2721c72a7758753ce658349ab3
-
SSDEEP
3072:fQ0nEQH0AkecLGrcchh3s47XlXfT+Fgjl/P5pcAyVV3wsOmtEQsh41TBKF7As01r:40nEBA5r3h3LX9r+qNBazgFmWQsudBcK
Malware Config
Extracted
gozi
Extracted
gozi
5050
fotexion.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
fotexion.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Targets
-
-
Target
modulo.cpl
-
Size
206KB
-
MD5
72e2a5c797954e895a41be5b20f867b2
-
SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597
-
SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0
-
SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3
-
SSDEEP
6144:sMmIE7vr+qWNGzfXDanCU60rPP+vJsWKq12Jy:o/7DrQGzfXDeCU6cevKWXwy
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-