Overview

overview

10

Static

static

gye1.cab.dll

windows7_x64

10

gye1.cab.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gye1.cab.zip

  • Size

    457KB

  • Sample

    201207-945vcj9gx2

  • MD5

    6ba56c918abb03b5453f6338d87a4004

  • SHA1

    cb1a44a5b66e65d1fb2ddf2b19f21085ae2ddd24

  • SHA256

    ccecbbaf6bdd8b83cb5966dc1e8f6157aea6a22274166fb7c10f194ad28f4277

  • SHA512

    6f9ca254784f148d9f21763ce2289bf0ab6f8fdd992b5722b94b9aef30e07413c55bdc5456b08300e8137438a6d0c67eed1d6e4decab000879b2c615c205d45f

Score
10/10
gozi_ifsbbankerpersistencespywaretrojan

Malware Config

Targets

    • Target

      gye1.cab

    • Size

      632KB

    • MD5

      e78b3e5f216b0fc21a528a1a4de83a39

    • SHA1

      91d536c3667177f95b1713b563d54a1437bf27d5

    • SHA256

      4eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c

    • SHA512

      b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb

    Score
    10/10
    gozi_ifsbbankerpersistencespywaretrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks