gozi_ifsb | 6284645bd98d27e05650ff3a09af5a013e9970ecd7471116ec77365eed375cf5 | Triage

Sharing

General

Target

0DIhwed2_g4MWK8097.zip
Size

298KB
Sample

210914-yyj2dsgcb7
MD5

750965e0f495513cb3c99d422f770c8d
SHA1

1526639b65b4dd208d2c6d118cc80b792bffbc8b
SHA256

6284645bd98d27e05650ff3a09af5a013e9970ecd7471116ec77365eed375cf5
SHA512

49a42d2993af8165a78440fbfc00422c071e25b09f4eff290fe08e8f2add285e1366ffe51f0310eb7a14501aa4cf38bdd321ff22eba96b1ca275dca9f05553c9

Score

10^/10

gozi_ifsb 1500 banker macro trojan xlm

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://94.140.115.233

Extracted

Family

gozi_ifsb

Botnet

1500

C2

atl.bigbigpoppa.com

pop.urlovedstuff.com

Attributes

build
250211
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  Bill[8097].xlsb
- Size
  
  307KB
- MD5
  
  7443f90c24a84c39814f305fbad23030
- SHA1
  
  e871da2d5a3cd9f88d4cccb26971036e70891963
- SHA256
  
  580523804caad17ee6aaa56bd42d2525150a3970e790396b9131519df88366b9
- SHA512
  
  aa68e34d3a72e49b32f77555ef32890dfae203429a824098c55d3cd55af6a70347f56a6408121909e966a6408352142abce42efb0239c1e2126850c2d4aa36ef
Score

10^/10

gozi_ifsb 1500 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb1500bankertrojan

behavioral2

gozi_ifsb1500bankertrojan