Overview

overview

10

Static

static

522b12f425...a2.exe

windows7_x64

10

522b12f425...a2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

  • Size

    365KB

  • Sample

    201114-c8kmbmdxln

  • MD5

    1ec1a06e9206527fa74c5560f1fa71b7

  • SHA1

    808955643df13e421c270e377c819cde4dd2c845

  • SHA256

    522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

  • SHA512

    f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

Score
10/10
gozi_ifsbursnifbankerpersistencespywaretrojan

Malware Config

Targets

    • Target

      522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

    • Size

      365KB

    • MD5

      1ec1a06e9206527fa74c5560f1fa71b7

    • SHA1

      808955643df13e421c270e377c819cde4dd2c845

    • SHA256

      522b12f425adf3c974452ec25cc35090594cf94ae0f36ef4945c420b322a53a2

    • SHA512

      f6d860a6b21db89615e90caadcc33734a0c6c1a0953fec6d9c0e9330dfb12d8455536ba7c398e86ed33d5e18490cc58ddae3b0c09733bbd1f58394cb5562c604

    Score
    10/10
    gozi_ifsbursnifbankerpersistencespywaretrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

      bankertrojanursnif

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks