Overview

overview

10

Static

static

Setup-9.05...11.exe

windows7_x64

10

Setup-9.05...11.exe

windows10_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup-9.05.0225.1111.exe.zip

  • Size

    30.4MB

  • Sample

    210728-cq1ag5vw6e

  • MD5

    c58def7b0f8b9c5a9443a04c4efbe96c

  • SHA1

    aeb647f05e28d35d4181655818ddd628f776c843

  • SHA256

    d764a2af9c30f5eb532389e1ada0358e32053c622fe2e89b9032f0f51caf8ede

  • SHA512

    c6f3dccd50c01eed4238b979a899118f84c49db9c7f61070c15cf552ff771b5d3dc384838bb48ef7b32dd196272f37246b9dc7cd5a6aa42cea818f0e6b1a5dcb

Score
10/10
gozi_ifsbbankerdiscoveryevasionpersistencetrojan

Malware Config

Targets

    • Target

      Setup-9.05.0225.1111.exe

    • Size

      31.1MB

    • MD5

      3b8bba3ca09ba8bc57d51cc84b748826

    • SHA1

      fe1abc07183929ca78d6e00b45737000ca01c0db

    • SHA256

      713aa63fbb0078ec6ae542db18f5c557e96119ee3bf49fdb6bb1692b100de0ff

    • SHA512

      b67d963408fdbbe00bdd21b1eed35827a9d8666689f23915ed7981457c4dd3976f4bac61912a23e70c6ca2b31ab981b666408a8653508448e05484aa3a89cf9c

    Score
    10/10
    gozi_ifsbbankerdiscoveryevasionpersistencetrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks