gozi_ifsb | 9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4 | Triage

Sharing

General

Target

ad4385d58755109a4435e89456dcccfd.exe
Size

279KB
Sample

210227-wk84jsr4qa
MD5

ad4385d58755109a4435e89456dcccfd
SHA1

0f1a719312f55f9955ab5f04f34e9127297aec09
SHA256

9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4
SHA512

629e0ea4ddf4d0a83a1e881e7e4fafb9d6fdfe110dcf665b04fdfe9f976fa9bf046280424f32c79b12075286638219d57300a57691306ed2505409bf679e1c81

Score

10^/10

gozi_ifsb 6565 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6565

C2

updates.microsoft.com

klounisoronws.xyz

darwikalldkkalsld.xyz

c1.microsoft.com

ctldl.windowsupdate.com

195.123.209.122

185.82.218.23

5.34.183.180

bloombergdalas.xyz

groovermanikos.xyz

kadskasdjlkewrjk.xyz

Attributes

build
250177
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Targets

- Target
  
  ad4385d58755109a4435e89456dcccfd.exe
- Size
  
  279KB
- MD5
  
  ad4385d58755109a4435e89456dcccfd
- SHA1
  
  0f1a719312f55f9955ab5f04f34e9127297aec09
- SHA256
  
  9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4
- SHA512
  
  629e0ea4ddf4d0a83a1e881e7e4fafb9d6fdfe110dcf665b04fdfe9f976fa9bf046280424f32c79b12075286638219d57300a57691306ed2505409bf679e1c81
Score

10^/10

gozi_ifsb 6565 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_ifsb6565bankertrojan

behavioral2

gozi_ifsb6565bankertrojan