b5b2765aaf97ae9c22abd312e684616d

General
Target

b5b2765aaf97ae9c22abd312e684616d

Size

820KB

Sample

210204-7ddakabam6

Score
10 /10
MD5

b5b2765aaf97ae9c22abd312e684616d

SHA1

a66a652c2067f7489b83aba3b78502c0f482863b

SHA256

9f6d02b422cb72eb3bbc723b8b4a692bc9f641f1908b7e4b32685b2ad42fbef7

SHA512

af6c0a6c582a0cfd4f7de6bf1cf0199898b31edc0dba5467a499c2148e425d91d556bd7eebd08faf093d610cbf2afbee2237affc206106c7209cb2492a563279

Malware Config

Extracted

Family gozi_ifsb
Botnet 2000
Attributes
build
215755
exe_type
worker
rsa_pubkey.base64
serpent.plain
Targets
Target

b5b2765aaf97ae9c22abd312e684616d

MD5

b5b2765aaf97ae9c22abd312e684616d

Filesize

820KB

Score
10 /10
SHA1

a66a652c2067f7489b83aba3b78502c0f482863b

SHA256

9f6d02b422cb72eb3bbc723b8b4a692bc9f641f1908b7e4b32685b2ad42fbef7

SHA512

af6c0a6c582a0cfd4f7de6bf1cf0199898b31edc0dba5467a499c2148e425d91d556bd7eebd08faf093d610cbf2afbee2237affc206106c7209cb2492a563279

Tags

Signatures

  • Gozi, Gozi IFSB

    Description

    Gozi ISFB is a well-known and widely distributed banking trojan.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Tasks