gozi_ifsb | 075ad31d8864e79876674c468a4a0f381ab9ce29559db21aad32e10ba8216fa1 | Triage

Sharing

General

Target

kybe4.dll
Size

563KB
Sample

210312-1gs88dx67j
MD5

31a9651f386ed20b3dd3bda2d6177cca
SHA1

92fb6d44f25339ae1f12c0a57071685b37d2f823
SHA256

075ad31d8864e79876674c468a4a0f381ab9ce29559db21aad32e10ba8216fa1
SHA512

bd916da067cc36300f303397e274802d3cc11524d7b0b3ab547bd737cf75d5c8cb67f273b1958220296200d5b08a8675bb4d305896f1811a8110f49df923b9c9

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz

web.vortex.data.microsoft.com

ocsp.sca1b.amazontrust.com

185.82.218.53

107.181.187.187

195.123.208.101

185.14.29.31

kraufaundingf.xyz

prilukisoft.xyz

drakluskolikooo.xyz

Attributes

build
250177
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Targets

- Target
  
  kybe4.dll
- Size
  
  563KB
- MD5
  
  31a9651f386ed20b3dd3bda2d6177cca
- SHA1
  
  92fb6d44f25339ae1f12c0a57071685b37d2f823
- SHA256
  
  075ad31d8864e79876674c468a4a0f381ab9ce29559db21aad32e10ba8216fa1
- SHA512
  
  bd916da067cc36300f303397e274802d3cc11524d7b0b3ab547bd737cf75d5c8cb67f273b1958220296200d5b08a8675bb4d305896f1811a8110f49df923b9c9
Score

10^/10

gozi_ifsb 5500 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_ifsb5500bankertrojan

behavioral2

gozi_ifsb5500bankertrojan