gozi_ifsb | bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5 | Triage

Submit
Reports

Overview

overview

Static

static

434.dll

windows7_x64

434.dll

windows10_x64

Sharing

General

Target

434.dll
Size

367KB
Sample

200713-qhgl5exm1x
MD5

7e9c8822be0f73073ce2cc5ef5a13c96
SHA1

10b2f8667db53eaf1b85a209d9b80b834425167f
SHA256

bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
SHA512

120bfec74eed70dc19d7aff9ed8dc392616a6c652f4c7b3f642219c6d5203038e66cef65e67b79041b8653b65021e2402b3cfc0f3b6850afd1d13e2a03637118

Score

10^/10

gozi_ifsb pony ursnif banker discovery evasion rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

434.dll

Resource

win7

evasion spyware trojan discovery banker ursnif rat stealer pony gozi_ifsb

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

434.dll

Resource

win10

spyware banker trojan gozi_ifsb ursnif discovery rat stealer pony

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  434.dll
- Size
  
  367KB
- MD5
  
  7e9c8822be0f73073ce2cc5ef5a13c96
- SHA1
  
  10b2f8667db53eaf1b85a209d9b80b834425167f
- SHA256
  
  bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
- SHA512
  
  120bfec74eed70dc19d7aff9ed8dc392616a6c652f4c7b3f642219c6d5203038e66cef65e67b79041b8653b65021e2402b3cfc0f3b6850afd1d13e2a03637118
Score

10^/10

evasion spyware trojan discovery banker ursnif rat stealer pony gozi_ifsb
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Ursnif, Dreambot
  Ursnif is a variant of the Gozi IFSB with more capabilities.
  banker trojan ursnif
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks for installed software on the system
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies system certificate store
  evasion spyware trojan
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionspywaretrojandiscoverybankerursnifratstealerponygozi_ifsb

behavioral2

spywarebankertrojangozi_ifsbursnifdiscoveryratstealerpony

© 2018-2024

Terms | Privacy