gozi_ifsb | eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87

General

Target

a3aa691bc97faf6f17eec0841b5ff730.dll
Size

1.0MB
Sample

210418-at7b49647s
MD5

a3aa691bc97faf6f17eec0841b5ff730
SHA1

9a642c22ebc19f4f8063b5ae986843916309b95a
SHA256

eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
SHA512

6664e24a698b1f7b392b8bcc1f64525b90ee0b6d63d4c86fd4f099888dcb1b90a6dde7986b406abdb3813941e1e7e9c35fe9268951996ff18aba0ae290ada939

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://buismashallah.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Extracted

Family

gozi_ifsb

Botnet

1000

C2

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://buismashallah.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  a3aa691bc97faf6f17eec0841b5ff730.dll
- Size
  
  1.0MB
- MD5
  
  a3aa691bc97faf6f17eec0841b5ff730
- SHA1
  
  9a642c22ebc19f4f8063b5ae986843916309b95a
- SHA256
  
  eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
- SHA512
  
  6664e24a698b1f7b392b8bcc1f64525b90ee0b6d63d4c86fd4f099888dcb1b90a6dde7986b406abdb3813941e1e7e9c35fe9268951996ff18aba0ae290ada939
Score

10^/10

gozi_ifsb 1000 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2