gozi_ifsb | 3b5b0403702eb792bae7f736afdfb7474d83a1ee471c334e9988926d3cf420ae | Triage

Sharing

General

Target

globalCounter.hta
Size

2KB
Sample

210614-z77rh36xmx
MD5

a10cc5c493b3ebc1f075424e146e92f0
SHA1

1ccaa12aae57ee57c36db36d5eb315373bcadb6c
SHA256

3b5b0403702eb792bae7f736afdfb7474d83a1ee471c334e9988926d3cf420ae
SHA512

148c03979dedb4b24ca88dad4b0d4d7ea6409febd34921044fa37be016632bb0267c737ef2b0d3da317010f0a868ced277ec632868cd8810fdc80646260adcdd

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Targets

- Target
  
  globalCounter.hta
- Size
  
  2KB
- MD5
  
  a10cc5c493b3ebc1f075424e146e92f0
- SHA1
  
  1ccaa12aae57ee57c36db36d5eb315373bcadb6c
- SHA256
  
  3b5b0403702eb792bae7f736afdfb7474d83a1ee471c334e9988926d3cf420ae
- SHA512
  
  148c03979dedb4b24ca88dad4b0d4d7ea6409febd34921044fa37be016632bb0267c737ef2b0d3da317010f0a868ced277ec632868cd8810fdc80646260adcdd
Score

10^/10

gozi_ifsb 6000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Suspicious use of NtCreateProcessExOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb6000bankertrojan

behavioral2