Overview

overview

10

Static

static

YyIUwQv.dll

windows7_x64

10

YyIUwQv.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    YyIUwQv.dll

  • Size

    565KB

  • Sample

    201209-exe7lyl1kx

  • MD5

    7099df90d162654fa9e3effa97279f51

  • SHA1

    605233409966904822a2e356d662ef837f778396

  • SHA256

    c513c300dd29b821c87623a3718a5d29186fb9bdabb61e42abe5c42cb944bb5f

  • SHA512

    0623038f073dcb8930228f6866a073e9b6bbfaa79fc0f4ee652cb2b2fc2cb65f91028c33d38597504ad62adca00d477804a908034e82796fdf8e32cb378b8b53

Score
10/10
gozi_ifsbursnifbankerspywaretrojan

Malware Config

Targets

    • Target

      YyIUwQv.dll

    • Size

      565KB

    • MD5

      7099df90d162654fa9e3effa97279f51

    • SHA1

      605233409966904822a2e356d662ef837f778396

    • SHA256

      c513c300dd29b821c87623a3718a5d29186fb9bdabb61e42abe5c42cb944bb5f

    • SHA512

      0623038f073dcb8930228f6866a073e9b6bbfaa79fc0f4ee652cb2b2fc2cb65f91028c33d38597504ad62adca00d477804a908034e82796fdf8e32cb378b8b53

    Score
    10/10
    gozi_ifsbursnifbankerspywaretrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Ursnif, Dreambot

      Ursnif is a variant of the Gozi IFSB with more capabilities.

      bankertrojanursnif

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

2
T1018

Process Discovery

1
T1057

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks