Overview

overview

10

Static

static

8

fd18a646bd...in.doc

windows7_x64

10

fd18a646bd...in.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42.zip

  • Size

    37KB

  • Sample

    210618-3w4mz76yex

  • MD5

    f5ade1ac71bd71da1f08b480cd939edd

  • SHA1

    ee438b4fb9ccc4039552b87b79d8542bbdbabc93

  • SHA256

    4d49ae7c236083099228b2bb42288560a7110face080ea63e20fe25c99840744

  • SHA512

    aaa2ee4f168a958c25d6881b0398f82131babd577f50fef747eba1a284b8282cb220ca9611c80d6538c65dd9865a0cd55292e04b16e4ae417d4d8d493a80628a

Score
10/10
gozi_ifsb6000bankermacrotrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at
Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Targets

    • Target

      fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c.bin

    • Size

      45KB

    • MD5

      cf6d17f7df9d3702c297b9f54bb5c571

    • SHA1

      d554fe56cf733ccb72cf3581b53ec2fcb60106a8

    • SHA256

      fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c

    • SHA512

      f7f069e30042ac9e4334d0279517bd7b24ba982d38a216405ad58762888c6bd9037eaa8ce69333b1fd7638eb77f6b66df45bcad4d407361e22001b5f64045534

    Score
    10/10
    gozi_ifsb6000bankertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks