General
-
Target
loader.exe
-
Size
11KB
-
Sample
240530-3vg5vaeh4z
-
MD5
6654b1945e364bbbfc8db4523116f1b4
-
SHA1
a86f8c2b4f92a5b0334782ef1316b2ed8d053134
-
SHA256
95ab3090e9ccf9df22689e7edbf25ff261421b79c5dd96e473774bfcfb44df16
-
SHA512
1c7ff65874cf1b662384a248f66a7547eb9321157f09a58c6500ece02b96095eacbbce960ecfda0d1a1a8a04e097066dd0571740c474f076b98f03964ec636b4
-
SSDEEP
192:5U8JN0Uq+/7m21DQ8rpJlqH+XAUNEpRoffY3HWJic75TPkaw5:5U4/qMB1EaqH8ABVOKaw
Malware Config
Extracted
gozi
Targets
-
-
Target
loader.exe
-
Size
11KB
-
MD5
6654b1945e364bbbfc8db4523116f1b4
-
SHA1
a86f8c2b4f92a5b0334782ef1316b2ed8d053134
-
SHA256
95ab3090e9ccf9df22689e7edbf25ff261421b79c5dd96e473774bfcfb44df16
-
SHA512
1c7ff65874cf1b662384a248f66a7547eb9321157f09a58c6500ece02b96095eacbbce960ecfda0d1a1a8a04e097066dd0571740c474f076b98f03964ec636b4
-
SSDEEP
192:5U8JN0Uq+/7m21DQ8rpJlqH+XAUNEpRoffY3HWJic75TPkaw5:5U4/qMB1EaqH8ABVOKaw
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-