gozi_ifsb | a31d0d59f61aeb7a42378ae39255fec0072b65b28af2ed4097662a53132a36c2 | Triage

Submit
Reports

Overview

overview

Static

static

6

presentati...25.vbs

windows7_x64

presentati...25.vbs

windows10_x64

1

Sharing

General

Target

presentation#_76325.vbs
Size

1.2MB
Sample

200602-xxys2kh3sx
MD5

ee4c58983f325bb00a5d04d6c5e41b91
SHA1

8284f45c6af2757db6e4046de697ecf38858b174
SHA256

a31d0d59f61aeb7a42378ae39255fec0072b65b28af2ed4097662a53132a36c2
SHA512

c3f371661d0f1ba846f714fa9c7b7a34066af1cb0c42ae72a9fb77d0f6c604f2b43f3c84b83bac67d84c754c387fe7f4ce17fb4aec9974ad5e45077a99f0672c

Score

10^/10

gozi_ifsb ursnif banker spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

presentation#_76325.vbs

Resource

win7v200430

banker trojan gozi_ifsb ursnif spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

presentation#_76325.vbs

Resource

win10v200430

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  presentation#_76325.vbs
- Size
  
  1.2MB
- MD5
  
  ee4c58983f325bb00a5d04d6c5e41b91
- SHA1
  
  8284f45c6af2757db6e4046de697ecf38858b174
- SHA256
  
  a31d0d59f61aeb7a42378ae39255fec0072b65b28af2ed4097662a53132a36c2
- SHA512
  
  c3f371661d0f1ba846f714fa9c7b7a34066af1cb0c42ae72a9fb77d0f6c604f2b43f3c84b83bac67d84c754c387fe7f4ce17fb4aec9974ad5e45077a99f0672c
Score

10^/10

banker trojan gozi_ifsb ursnif spyware
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Ursnif, Dreambot
  Ursnif is a variant of the Gozi IFSB with more capabilities.
  banker trojan ursnif
- Blacklisted process makes network request
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

bankertrojangozi_ifsbursnifspyware

behavioral2

© 2018-2025

Terms | Privacy