gozi_ifsb | 68f87a49ca4f6f1fe31b3e26a0988f13c270c66cf45e94f2e83fd0c41b63564b | Triage

Sharing

General

Target

200803-c35b16vf3a_pw_infected.zip
Size

388KB
Sample

200803-t5ta4s1zv6
MD5

2f8bb0d0e7a4b45a55014ff54994c406
SHA1

10292225ec6ae8ebb38dc0a15371a932adb5e94d
SHA256

68f87a49ca4f6f1fe31b3e26a0988f13c270c66cf45e94f2e83fd0c41b63564b
SHA512

d8d4d8b845d54bfc3626c9508544c28b6f798ffa952f5dc64608625368fa6d7e7a3f47b42610fcc7251767e8bce543d162b94ce1ffb6cb15e1679117847ccfa4

Score

10^/10

gozi_ifsb ursnif banker evasion persistence spyware trojan

Malware Config

Targets

- Target
  
  cbc399f8957918ca58b540080687665e.bin
- Size
  
  604KB
- MD5
  
  cbc399f8957918ca58b540080687665e
- SHA1
  
  66fd6764a289bbd0c070f2868b9b3dfcaf189870
- SHA256
  
  2b330d2eea637a524621dca0b18db45b53d7542d21323afed1f454f3437c4d3e
- SHA512
  
  a795587c0529e5119e81edfb7ef3480bcd2a6ef5a9e8d4982c4edcd2fdaf66fb77ed0528bc6ce13f3b3667fb6364b4710b8dc5c5843afd11ed982877ee1bf84f
Score

10^/10

banker trojan ursnif persistence spyware evasion gozi_ifsb
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Ursnif, Dreambot
  Ursnif is a variant of the Gozi IFSB with more capabilities.
  banker trojan ursnif
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bankertrojanursnifpersistencespywareevasiongozi_ifsb

behavioral2