gozi_ifsb | d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79

Sharing

Copy URL

Twitter E-mail

General

Target

samples.zip
Size

1.9MB
Sample

210218-r49qmrf7rx
MD5

a2551d50157208ea0b81399b8b44d46e
SHA1

1f8b218fee39e7fb61be18325279fead0699d2f7
SHA256

d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79
SHA512

3657a1dde617a65f3a25a1b363512b33aa4c3fb953cdbe93a29bfa9155fb9d8ac64f717a608b7883e8e5f6aeb78740ba8b934defc5561acc89d51265c3e71a20

Score

10^/10

Malware Config

Extracted

Family

trickbot

Version

100011

Botnet

mon44

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Extracted

Family

trickbot

Version

100011

Botnet

mon42

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Extracted

Family

gozi_ifsb

Botnet

2200

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
730

rsa_pubkey.base64

serpent.plain

Extracted

Family

gozi_ifsb

Botnet

3300

api10.laptok.at/api1

golang.feel500.at/api1

go.in100k.at/api1

Attributes

build
250171
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
730

rsa_pubkey.base64

serpent.plain

Extracted

Family

trickbot

Version

100011

Botnet

mon48

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.bin
- Size
  
  430KB
- MD5
  
  e31f19e922d23d120305a0f4814f823e
- SHA1
  
  e78cea0939f886834af7844325baf57f500556ed
- SHA256
  
  48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f
- SHA512
  
  7fbec934aa980951c4b05eaa2544a308effc9c4ae7b3f8ef82a7c10d294f96c2a41537eede8b2afe8f20683979145b33cd2e4e5a19ea76ce5f02cf1a0712f555
Score

1^/10
behavioral1 behavioral2
- Target
  
  202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin
- Size
  
  603KB
- MD5
  
  0da0dabe99b1df919b6fd27d803db851
- SHA1
  
  9b4c420185069f81ba887cd38feee498d2c3f1d6
- SHA256
  
  4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c
- SHA512
  
  6bcbcaed03b99438a25efec6492153db82b5bbcef91a892abacbe5dc2ac9d78e89e2a3104ca411dffe242f6a3ead752d824cf054a7086a30039755b747400b03
Score

10^/10

trickbot mon44 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.bin
- Size
  
  300KB
- MD5
  
  d564753c69c611fb485af9b66b967630
- SHA1
  
  056f88c4f7f0ed8f746f36f3cc37961c606bbf40
- SHA256
  
  7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5
- SHA512
  
  ade094db28924395908b6afff429ae716e0f58b7a4eef04f835bef5bff5e476c0fd3754ac94cb6810b67d6c666995e0fc45c05da33bf48a3a9b7f1dac17ddeea
Score

10^/10

trickbot mon42 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
behavioral5 behavioral6
- Target
  
  202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.bin
- Size
  
  216KB
- MD5
  
  06ddae0e67a048aff8829413a7903bec
- SHA1
  
  aee60f4e070f845183b59f16dad84a72733e4d0a
- SHA256
  
  8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7
- SHA512
  
  8dbecf12c003a996f4f41e9e087531a3c6e1572aaf6f4e6e0538d155febb3c5b20fe8cf0b267716091f5db656a95d5de9254fc911056883380589863d899e1bd
Score

10^/10

gozi_ifsb 2200 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
behavioral7 behavioral8
- Target
  
  202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.bin
- Size
  
  93KB
- MD5
  
  913c77883aa2e28ec98e5cf86d6fc2cb
- SHA1
  
  5a5c60b32770cb4654269a812d07e13767ad7ed6
- SHA256
  
  ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d
- SHA512
  
  8722b1958bdea7c23073d4f26c8f47221244ff44d243d253948a48d3635b5c96131078cb867e3f83f6cfdb4800c26ca4da9b4c12ce56219591b5c716ba058bf9
Score

10^/10

gozi_ifsb 3300 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
behavioral9 behavioral10
- Target
  
  202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.bin
- Size
  
  382KB
- MD5
  
  7ba23b2b6b50cfc3711362f465d926be
- SHA1
  
  299c710f249b80580105014d4e4e9b92f32e0577
- SHA256
  
  c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63
- SHA512
  
  9954690178c9ceb30edd7a44ab9d662a32c669a2b6eedaf6582274aaf3752426bca0e4e6ee1dc6e1a864e0cf3364314198108aab13c88f7272775c31a53491ea
Score

10^/10

trickbot mon44 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.bin
- Size
  
  596KB
- MD5
  
  e07d47927df912332bc84b3f98586091
- SHA1
  
  b55a9ae7a9ccd44dd3516e557e295e3f1cce750e
- SHA256
  
  cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d
- SHA512
  
  05fc68821232f43b1b598a5c3989d18e5487f87316803a8d2e732cd1afed88034f6482be256c9894a4a56b6fe4efdec748a982c90c7609c64d24ff77b5b56396
Score

10^/10

gozi_ifsb 2200 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
behavioral13 behavioral14
- Target
  
  202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.bin
- Size
  
  329KB
- MD5
  
  48cab21fcbe254e7c83f4c1d455a39dc
- SHA1
  
  b96c1f765abb14eb401cacab6f6e203c3a255df9
- SHA256
  
  f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73
- SHA512
  
  0375a26a2d6d8990d202b75b4cb6797d03300ddc077c4dcb05778365212644ee49ce6e437fde0b77e1b8179d01ffad028635869d2f3897333b85471724d15ebc
Score

10^/10

trickbot mon48 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Trickbot

Templ.dll packer

Looks up external IP address via web service

Trickbot

Templ.dll packer

Gozi, Gozi IFSB

Gozi, Gozi IFSB

Trickbot

Templ.dll packer

Looks up external IP address via web service

Gozi, Gozi IFSB

Trickbot

Templ.dll packer

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16