gozi_ifsb | 42b7c2ea97c98f21d2a5fb271364530115369f9bb08ef03fa57013cc036b6f00 | Triage

Sharing

General

Target

617683636aa85.tiff
Size

942KB
Sample

211025-magetaghcr
MD5

63bf1fa8174987625e5e43cb0ed13e82
SHA1

644b87f4721c0b9b5409d19717dffea20b788081
SHA256

42b7c2ea97c98f21d2a5fb271364530115369f9bb08ef03fa57013cc036b6f00
SHA512

1ddd98f42cb271bd55f96a2291951ec761f81b8958269e67166c74ff40c3ce65a96c0011c4a024a6b1c54709043ab8cba4b22ddefa435b20696556057c2737f8

Score

10^/10

gozi_ifsb 8899 banker suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

msn.com/mail

realitystorys.com

outlook.com/signup

gderrrpololo.net

Attributes

build
260212
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  617683636aa85.tiff
- Size
  
  942KB
- MD5
  
  63bf1fa8174987625e5e43cb0ed13e82
- SHA1
  
  644b87f4721c0b9b5409d19717dffea20b788081
- SHA256
  
  42b7c2ea97c98f21d2a5fb271364530115369f9bb08ef03fa57013cc036b6f00
- SHA512
  
  1ddd98f42cb271bd55f96a2291951ec761f81b8958269e67166c74ff40c3ce65a96c0011c4a024a6b1c54709043ab8cba4b22ddefa435b20696556057c2737f8
Score

10^/10

gozi_ifsb 8899 banker trojan suricata
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- Blocklisted process makes network request
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

gozi_ifsb8899bankertrojan

behavioral2

gozi_ifsb8899bankersuricatatrojan