Overview

overview

10

Static

static

8

enjoin-06.21.doc

windows7_x64

10

enjoin-06.21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    enjoin-06.21.doc

  • Size

    49KB

  • Sample

    210614-hmxynrqf9e

  • MD5

    68f3731796cce6ce450d1b9e05093b2a

  • SHA1

    9ccac54605eb3b0aa365cb359f6c71cb0a912fb8

  • SHA256

    b794fe749ab133b1a4197cd713c0d8e70723058e5c2d3df57b553475c12e42a8

  • SHA512

    ebd6e06b28ccb3a03d463da8d343a79ba31fc0b30424be972a520f5352561ddc4121f0a81744c30b80fb2c18660078c0ea72f0b22303ce2b7c68614c0124592b

Score
10/10
gozi_ifsb6000bankermacrotrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at
Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Targets

    • Target

      enjoin-06.21.doc

    • Size

      49KB

    • MD5

      68f3731796cce6ce450d1b9e05093b2a

    • SHA1

      9ccac54605eb3b0aa365cb359f6c71cb0a912fb8

    • SHA256

      b794fe749ab133b1a4197cd713c0d8e70723058e5c2d3df57b553475c12e42a8

    • SHA512

      ebd6e06b28ccb3a03d463da8d343a79ba31fc0b30424be972a520f5352561ddc4121f0a81744c30b80fb2c18660078c0ea72f0b22303ce2b7c68614c0124592b

    Score
    10/10
    gozi_ifsb6000bankertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks