gozi_ifsb | 2f5ecd0d89ed3bf3c52cfa856f1dd4f68fed09b0cc3b827e43fd8e2fbcf0bfc0 | Triage

Sharing

General

Target

rightWWindow.jpg
Size

563KB
Sample

210313-44cp7fam8a
MD5

ed24fcb1db8781f573c3e638465568da
SHA1

b0a26def3b4950163c18385ebe0fe798875078c4
SHA256

2f5ecd0d89ed3bf3c52cfa856f1dd4f68fed09b0cc3b827e43fd8e2fbcf0bfc0
SHA512

8c7262c237a73d6492e54adf9b724a976e1a046f1aa814f199aeb6df4cf153b296ec240a5d0c383e11a98e8763212fb37e2900e396d9e73d4d1a8ee25ceb9496

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

C2

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz

web.vortex.data.microsoft.com

ocsp.sca1b.amazontrust.com

185.82.218.53

107.181.187.187

195.123.208.101

185.14.29.31

kraufaundingf.xyz

prilukisoft.xyz

drakluskolikooo.xyz

Attributes

build
250177
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Targets

- Target
  
  rightWWindow.jpg
- Size
  
  563KB
- MD5
  
  ed24fcb1db8781f573c3e638465568da
- SHA1
  
  b0a26def3b4950163c18385ebe0fe798875078c4
- SHA256
  
  2f5ecd0d89ed3bf3c52cfa856f1dd4f68fed09b0cc3b827e43fd8e2fbcf0bfc0
- SHA512
  
  8c7262c237a73d6492e54adf9b724a976e1a046f1aa814f199aeb6df4cf153b296ec240a5d0c383e11a98e8763212fb37e2900e396d9e73d4d1a8ee25ceb9496
Score

10^/10

gozi_ifsb 5500 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb5500bankertrojan

behavioral2

gozi_ifsb5500bankertrojan