gozi_ifsb | 7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9 | Triage

Sharing

General

Target

7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9
Size

327KB
Sample

201109-8jc3v12qys
MD5

f3cfeb4d204656cdc50ff1e180dba05d
SHA1

1b18dff965566f28027c933878403d8e9f0cef75
SHA256

7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9
SHA512

89664de6d8d3b45d4bc9237fbbba442b2d7787faaa97a6d91b55e4b2230919d4e4127d6bf439eb2417df27f4a56471a2947d5d7e3da1e60d27f182ca2873d33a

Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan

Malware Config

Targets

- Target
  
  7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9
- Size
  
  327KB
- MD5
  
  f3cfeb4d204656cdc50ff1e180dba05d
- SHA1
  
  1b18dff965566f28027c933878403d8e9f0cef75
- SHA256
  
  7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9
- SHA512
  
  89664de6d8d3b45d4bc9237fbbba442b2d7787faaa97a6d91b55e4b2230919d4e4127d6bf439eb2417df27f4a56471a2947d5d7e3da1e60d27f182ca2873d33a
Score

10^/10

gozi_ifsb ursnif banker persistence spyware trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Ursnif, Dreambot
  Ursnif is a variant of the Gozi IFSB with more capabilities.
  banker trojan ursnif
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsbursnifbankerpersistencespywaretrojan

behavioral2

gozi_ifsbursnifbankerpersistencespywaretrojan