gozi_ifsb | fb6856b2e1967b9bebf8deb3f3ea2994cf437e6184d9dc99ee53c92c531d0e27 | Triage

Resubmissions

24-08-2021 14:41

210824-gbqdf47416 10

23-08-2021 18:15

210823-78r35g4gms 10

19-12-2020 05:48

201219-8fefrsq5f2 10

Sharing

General

Target

10fda777cc56f004e90a4037e1e2cdcc.zip
Size

416KB
Sample

201219-8fefrsq5f2
MD5

e4bd183773f14a702da2b0ba75aabd78
SHA1

22f44d8d2d8a7354527e4c78e3455d0377b4a2e0
SHA256

fb6856b2e1967b9bebf8deb3f3ea2994cf437e6184d9dc99ee53c92c531d0e27
SHA512

9f12f68a2e77e880bd05e6c31168ac61990c840e2726bfe976d34dfa1bb796435f7aa236e3b3c09224f07de4f21b809de6e82d1b2ebdb325c0b723ee1bed424a

Score

10^/10

gozi_ifsb ursnif banker persistence trojan

Malware Config

Targets

- Target
  
  37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028
- Size
  
  539KB
- MD5
  
  10fda777cc56f004e90a4037e1e2cdcc
- SHA1
  
  2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9
- SHA256
  
  37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028
- SHA512
  
  9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088
Score

10^/10

gozi_ifsb ursnif banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Ursnif, Dreambot
  Ursnif is a variant of the Gozi IFSB with more capabilities.
  banker trojan ursnif
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsbursnifbankerpersistencetrojan

behavioral2