gozi_ifsb | f3ac2a9eff98276ff2c1478f897721d910ef5f706ad341c7eabd627e71d2072c | Triage

Submit
Reports

Overview

overview

Static

static

61b8636067f2b.tar.dll

windows7_x64

61b8636067f2b.tar.dll

windows10_x64

Sharing

General

Target

61b8636067f2b.tar
Size

1.7MB
Sample

211214-lgrcxsfec4
MD5

21a543254be9ed87668a1e9b282380ee
SHA1

60d0d34e80ad511f23a5ff8d9f5794bb5bf679f4
SHA256

f3ac2a9eff98276ff2c1478f897721d910ef5f706ad341c7eabd627e71d2072c
SHA512

f3121b6ad17fb90edf0389642341ec2831902b1acc1241265fa2f1fee7b76359f3da919f2bfc82dcb84eaca2d1230219e0590fd78b4959ba62ef5293e2db5420

Score

10^/10

gozi_ifsb 8899 banker trojan

Static task

static1

Behavioral task

behavioral1

Sample

61b8636067f2b.tar.dll

Resource

win7-en-20211208

gozi_ifsb 8899 banker trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

61b8636067f2b.tar.dll

Resource

win10-en-20211208

gozi_ifsb 8899 banker trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

assets.msn.com

http://microsoft.com

79.110.52.217

79.110.52.215

45.9.20.190

45.9.20.128

aerukoneru.site

serukoneru.site

yerukoneru.site

karfaganda.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

rsa_pubkey.plain

Targets

- Target
  
  61b8636067f2b.tar
- Size
  
  1.7MB
- MD5
  
  21a543254be9ed87668a1e9b282380ee
- SHA1
  
  60d0d34e80ad511f23a5ff8d9f5794bb5bf679f4
- SHA256
  
  f3ac2a9eff98276ff2c1478f897721d910ef5f706ad341c7eabd627e71d2072c
- SHA512
  
  f3121b6ad17fb90edf0389642341ec2831902b1acc1241265fa2f1fee7b76359f3da919f2bfc82dcb84eaca2d1230219e0590fd78b4959ba62ef5293e2db5420
Score

10^/10

gozi_ifsb 8899 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb8899bankertrojan

behavioral2

gozi_ifsb8899bankertrojan

© 2018-2024

Terms | Privacy