gozi_ifsb | c22549f613c75598c303b06f21c96a93c3e9fa8599278564cacc1139f9bf1fbd | Triage

Submit
Reports

Overview

overview

Static

static

61b85f6868...ff.dll

windows7_x64

61b85f6868...ff.dll

windows10_x64

Sharing

General

Target

61b85f6868015.tiff
Size

1.7MB
Sample

211214-k498wafdh9
MD5

84a5ac47cc293aecccee498ea2babf5a
SHA1

7bf025a300cb8ec2dfdd431dc35726de2da87eba
SHA256

c22549f613c75598c303b06f21c96a93c3e9fa8599278564cacc1139f9bf1fbd
SHA512

332a8a659a6ba97b1784eb42f385fe4fcc78362c35978b597bb2a74461c6d7b72f00c59acd5b3f7515203ab3dc2f50f078154d4a1920f547831f23267f242274

Score

10^/10

gozi_ifsb 8899 banker trojan

Static task

static1

Behavioral task

behavioral1

Sample

61b85f6868015.tiff.dll

Resource

win7-en-20211208

gozi_ifsb 8899 banker trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

61b85f6868015.tiff.dll

Resource

win10-en-20211208

gozi_ifsb 8899 banker trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

assets.msn.com

http://microsoft.com

79.110.52.217

79.110.52.215

45.9.20.190

45.9.20.128

aerukoneru.site

serukoneru.site

yerukoneru.site

karfaganda.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

rsa_pubkey.plain

Targets

- Target
  
  61b85f6868015.tiff
- Size
  
  1.7MB
- MD5
  
  84a5ac47cc293aecccee498ea2babf5a
- SHA1
  
  7bf025a300cb8ec2dfdd431dc35726de2da87eba
- SHA256
  
  c22549f613c75598c303b06f21c96a93c3e9fa8599278564cacc1139f9bf1fbd
- SHA512
  
  332a8a659a6ba97b1784eb42f385fe4fcc78362c35978b597bb2a74461c6d7b72f00c59acd5b3f7515203ab3dc2f50f078154d4a1920f547831f23267f242274
Score

10^/10

gozi_ifsb 8899 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb8899bankertrojan

behavioral2

gozi_ifsb8899bankertrojan

© 2018-2024

Terms | Privacy