Overview

overview

10

Static

static

invoice_96...ip.exe

windows7_x64

10

invoice_96...ip.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    invoice_96733093_10.20.zip.exe

  • Size

    327KB

  • Sample

    201005-8pjp4v6mgx

  • MD5

    ff449329c25e3baa889cf72a5ccb9473

  • SHA1

    d973b0267c639359cbcd8828e8f8e5a78ad85e80

  • SHA256

    303516a866cfe388024135d1e3825f7b3e14e8f75d0b609ed5397b704697b8f7

  • SHA512

    e535b33d86549dc51429ba575cfa3d02d1617dbbc5c697bbcf71cf6080055d0b8e54cce93e3784f7235e875ebbd4a2da82956547b87bc38ce8e0f2b2201d0637

Score
10/10
gozi_ifsbursnifbankerspywaretrojan

Malware Config

Targets

    • Target

      invoice_96733093_10.20.zip.exe

    • Size

      327KB

    • MD5

      ff449329c25e3baa889cf72a5ccb9473

    • SHA1

      d973b0267c639359cbcd8828e8f8e5a78ad85e80

    • SHA256

      303516a866cfe388024135d1e3825f7b3e14e8f75d0b609ed5397b704697b8f7

    • SHA512

      e535b33d86549dc51429ba575cfa3d02d1617dbbc5c697bbcf71cf6080055d0b8e54cce93e3784f7235e875ebbd4a2da82956547b87bc38ce8e0f2b2201d0637

    Score
    10/10
    bankertrojanursnifspywaregozi_ifsb

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

      bankertrojanursnif

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks