Overview

overview

10

Static

static

ee12174421...fa.exe

windows7_x64

10

ee12174421...fa.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ee12174421fe88e3d229a3ceeb79d46695c837cbe6b395ff60bbfed3944fc4fa

  • Size

    365KB

  • Sample

    201108-ncedxh726j

  • MD5

    8f8fa2a30b7831c675f46d73797cb82d

  • SHA1

    8ba2af9608ed6d56a415704bda042e30c8af79c0

  • SHA256

    ee12174421fe88e3d229a3ceeb79d46695c837cbe6b395ff60bbfed3944fc4fa

  • SHA512

    9211d48db1035d568af288daf50fde2b56aec8e8945bbda28098cbc2175a6665895676a5c999039cce93302d26ac2b032720c71c35610c56086c01a84d1f6452

Score
10/10
gozi_ifsbursnifbankerpersistencespywaretrojan

Malware Config

Targets

    • Target

      ee12174421fe88e3d229a3ceeb79d46695c837cbe6b395ff60bbfed3944fc4fa

    • Size

      365KB

    • MD5

      8f8fa2a30b7831c675f46d73797cb82d

    • SHA1

      8ba2af9608ed6d56a415704bda042e30c8af79c0

    • SHA256

      ee12174421fe88e3d229a3ceeb79d46695c837cbe6b395ff60bbfed3944fc4fa

    • SHA512

      9211d48db1035d568af288daf50fde2b56aec8e8945bbda28098cbc2175a6665895676a5c999039cce93302d26ac2b032720c71c35610c56086c01a84d1f6452

    Score
    10/10
    gozi_ifsbursnifbankerpersistencespywaretrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

      bankertrojanursnif

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks