gozi_ifsb | 4953b55d6b1a3c0c06178d8c005641b63c875d9aaa330fe430d049dd6617e70a | Triage

Sharing

General

Target

376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e.zip
Size

300KB
Sample

201211-7enahmsvza
MD5

b8dea9903f42422871e2bfa8529dd8eb
SHA1

1b57f8c5ab9170a073a16c1d9044b1eb03d29a72
SHA256

4953b55d6b1a3c0c06178d8c005641b63c875d9aaa330fe430d049dd6617e70a
SHA512

e95a699aa932eb23393c8a8cc5ec6d91db8d93c58001f7cb127c11f0d5095105e05727e795b4b38a3bc6c0569ac64fdf1febb26bc1a0c569bf6a4126d36d622b

Score

10^/10

gozi_ifsb banker persistence spyware trojan

Malware Config

Targets

- Target
  
  376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e
- Size
  
  373KB
- MD5
  
  a3701be6d0583d2f351a11cfac483623
- SHA1
  
  18b378083bdd67452a64bdb93c6a9a5a20770cc2
- SHA256
  
  376eceec074e00eed57561743299ce349d4305fd6829f02ae7c578ecdae59d7e
- SHA512
  
  22932982cacf44414e1dadf20f999aa8183022f7dbcca6cb22afe64514452ab4d01fd758c54ed9b58e9c55e32778cd300da19d9419572795d912bfe3e3fc7c24
Score

10^/10

gozi_ifsb banker persistence spyware trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsbbankerpersistencespywaretrojan

behavioral2

gozi_ifsbbankerpersistencespywaretrojan