gozi_ifsb | 38cd03b944e9368f595347945a7a3a3fd657601578fbd74f5954875f0db15644

General

Target

direct.ps1
Size

264B
Sample

210728-wxgty84cv2
MD5

bc63701022e39b52b73a21448e6b5973
SHA1

0195f5f6163eddc5676e357b8e76aa2fa5bf013e
SHA256

38cd03b944e9368f595347945a7a3a3fd657601578fbd74f5954875f0db15644
SHA512

529d35828dfd0b8b5c380b8d11cf91c1e55d4f55c274929372ff210352519d4b0792fbe67f453d3296e2d38a1e2cdf4070d85028034556d5009d943957884f3c

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://docs.zohopublic.eu/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&docExtn=png

Extracted

Family

gozi_ifsb

Botnet

7410

C2

signin.microsoft.com

alliances.bar

allianceline.bar

alliancer.bar

Attributes

build
250206
dns_servers
107.174.86.134
107.175.127.22
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  direct.ps1
- Size
  
  264B
- MD5
  
  bc63701022e39b52b73a21448e6b5973
- SHA1
  
  0195f5f6163eddc5676e357b8e76aa2fa5bf013e
- SHA256
  
  38cd03b944e9368f595347945a7a3a3fd657601578fbd74f5954875f0db15644
- SHA512
  
  529d35828dfd0b8b5c380b8d11cf91c1e55d4f55c274929372ff210352519d4b0792fbe67f453d3296e2d38a1e2cdf4070d85028034556d5009d943957884f3c
Score

10^/10

gozi_ifsb 7410 banker suricata trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2