Overview

overview

10

Static

static

1

b77e78b4a1...ad.exe

windows7_x64

10

b77e78b4a1...ad.exe

windows10_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b77e78b4a11ee81ae30b9db152f77bed8bbaa627dc7af241483d005fd16aa8ad

  • Size

    304KB

  • Sample

    201201-dwqfa69g2x

  • MD5

    5fb2e9f4fdadfded6edfab710d77873e

  • SHA1

    21ac99478c495a21dac291e744df345f4949653d

  • SHA256

    b77e78b4a11ee81ae30b9db152f77bed8bbaa627dc7af241483d005fd16aa8ad

  • SHA512

    aaecaa9c0408766b5ecdbd6605b87b86cfee8a804b13da84a76dd912bb9fcd78347659da6b14a0116688482024398664bd35b3989c1dce18a81617e1f9ac9e89

Score
10/10
gozi_ifsbbankerpersistencespywaretrojan

Malware Config

Targets

    • Target

      b77e78b4a11ee81ae30b9db152f77bed8bbaa627dc7af241483d005fd16aa8ad

    • Size

      304KB

    • MD5

      5fb2e9f4fdadfded6edfab710d77873e

    • SHA1

      21ac99478c495a21dac291e744df345f4949653d

    • SHA256

      b77e78b4a11ee81ae30b9db152f77bed8bbaa627dc7af241483d005fd16aa8ad

    • SHA512

      aaecaa9c0408766b5ecdbd6605b87b86cfee8a804b13da84a76dd912bb9fcd78347659da6b14a0116688482024398664bd35b3989c1dce18a81617e1f9ac9e89

    Score
    10/10
    gozi_ifsbbankerpersistencespywaretrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks