gozi_ifsb | 1c7e6efa98f896453080926d8a06a0f34dc89efc5e284cc6d827514e357064a1

General

Target

1c7e6efa98f896453080926d8a06a0f34dc89efc5e284cc6d827514e357064a1
Size

273KB
Sample

201108-my71rt8qqn
MD5

1cd64557583a7131ff7ba4645b5cabde
SHA1

60953f75f0ce09ddbe7e3b8b93120e5def98541b
SHA256

1c7e6efa98f896453080926d8a06a0f34dc89efc5e284cc6d827514e357064a1
SHA512

49e8d53adbf42a982aaed759607f609ebf9aec9f8874a5973f58d4b9e2f3594534c7e661ee2dfb01147052b64c3f4032f8720dab477f3455a6488ef6fea3f75f

Score

10^/10

Malware Config

Targets

- Target
  
  1c7e6efa98f896453080926d8a06a0f34dc89efc5e284cc6d827514e357064a1
- Size
  
  273KB
- MD5
  
  1cd64557583a7131ff7ba4645b5cabde
- SHA1
  
  60953f75f0ce09ddbe7e3b8b93120e5def98541b
- SHA256
  
  1c7e6efa98f896453080926d8a06a0f34dc89efc5e284cc6d827514e357064a1
- SHA512
  
  49e8d53adbf42a982aaed759607f609ebf9aec9f8874a5973f58d4b9e2f3594534c7e661ee2dfb01147052b64c3f4032f8720dab477f3455a6488ef6fea3f75f
Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan upx
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Ursnif, Dreambot
  Ursnif is a variant of the Gozi IFSB with more capabilities.
  banker trojan ursnif
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Gozi, Gozi IFSB

Ursnif, Dreambot

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2