Overview

overview

10

Static

static

8

decree 06.21.doc

windows7_x64

10

decree 06.21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    decree 06.21.doc

  • Size

    45KB

  • Sample

    210610-e8awzvkmm2

  • MD5

    46e887ac0d356a30dc8a9971d9486dbe

  • SHA1

    60468618a0e2e4d815af07e8652fba0437ddc5e6

  • SHA256

    83439db58d913186b422724bea2ed8d674956e8f1c2b3f00dc6c8b91d60ffdba

  • SHA512

    83a59a9afb67d5e4f9f49938df7a496839cda47d425b74405052ddc864a480efb4dfd0a55847e5dbe866762cc9f10210fa23cd5a8a40a06b2a0b002fff916d63

Score
10/10
gozi_ifsb6000bankermacrotrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at
Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Targets

    • Target

      decree 06.21.doc

    • Size

      45KB

    • MD5

      46e887ac0d356a30dc8a9971d9486dbe

    • SHA1

      60468618a0e2e4d815af07e8652fba0437ddc5e6

    • SHA256

      83439db58d913186b422724bea2ed8d674956e8f1c2b3f00dc6c8b91d60ffdba

    • SHA512

      83a59a9afb67d5e4f9f49938df7a496839cda47d425b74405052ddc864a480efb4dfd0a55847e5dbe866762cc9f10210fa23cd5a8a40a06b2a0b002fff916d63

    Score
    10/10
    gozi_ifsb6000bankertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks