Overview

overview

10

Static

static

5fc612703f844.dll

windows7_x64

10

5fc612703f844.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5fc612703f844.dll

  • Size

    122KB

  • Sample

    201201-sf94h51asx

  • MD5

    897285413e9a2bc5207996e43432078f

  • SHA1

    0da15676430232150a2b2d5b7b9a2cf19d7b3306

  • SHA256

    99b6752f4009fd4bbf0c62cf0f30285fbf28bbdd3c5b7fee0bf1b7fe20a8a406

  • SHA512

    20c986925305276ff52746e0cd8081d8174251e0392ed355a48d94d7febdd5c6955998d9255594b146926bf66886de067a0f942f34ab75b5f1f302794149c9d1

Score
10/10
gozi_ifsbursnifbankerspywaretrojan

Malware Config

Targets

    • Target

      5fc612703f844.dll

    • Size

      122KB

    • MD5

      897285413e9a2bc5207996e43432078f

    • SHA1

      0da15676430232150a2b2d5b7b9a2cf19d7b3306

    • SHA256

      99b6752f4009fd4bbf0c62cf0f30285fbf28bbdd3c5b7fee0bf1b7fe20a8a406

    • SHA512

      20c986925305276ff52746e0cd8081d8174251e0392ed355a48d94d7febdd5c6955998d9255594b146926bf66886de067a0f942f34ab75b5f1f302794149c9d1

    Score
    10/10
    gozi_ifsbursnifbankerspywaretrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

      bankertrojanursnif

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks