Overview

overview

10

Static

static

8

02d165251f...74.exe

windows7_x64

10

02d165251f...74.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

  • Size

    273KB

  • Sample

    201110-nw3yhg9cax

  • MD5

    7f1d3c53b9ec4e4a0de133e294c59503

  • SHA1

    0a5cf542342a579a2da13fe81f2a33e8beb2dd53

  • SHA256

    02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

  • SHA512

    38693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486

Score
10/10
gozi_ifsbursnifbankerpersistencespywaretrojanupx

Malware Config

Targets

    • Target

      02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

    • Size

      273KB

    • MD5

      7f1d3c53b9ec4e4a0de133e294c59503

    • SHA1

      0a5cf542342a579a2da13fe81f2a33e8beb2dd53

    • SHA256

      02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

    • SHA512

      38693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486

    Score
    10/10
    gozi_ifsbursnifbankerpersistencespywaretrojanupx

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

      bankertrojanursnif

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks