gozi_ifsb | fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e | Triage

Submit
Reports

Overview

overview

Static

static

6.png.dll

windows7_x64

6.png.dll

windows10_x64

Sharing

General

Target

6.png
Size

1.7MB
Sample

211214-lhmq5agefp
MD5

ac57d694b86d8532b38d3d62f6de3afc
SHA1

c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256

fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
SHA512

cd9635d667a43c0d6715ec05c114c424b3f1292d7997c8d6c86f937ff81a08262763d33621c7d75d3c2a5fac75b58c71489fe3360fd4a2d6c804e7a72a06683b

Score

10^/10

gozi_ifsb 8899 banker suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

6.png.dll

Resource

win7-en-20211208

gozi_ifsb 8899 banker suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

6.png.dll

Resource

win10-en-20211208

gozi_ifsb 8899 banker suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

microsoft.com/windowsdisabler

windows.update3.com

berukoneru.website

gerukoneru.website

fortunarah.com

assets.msn.com

http://microsoft.com

79.110.52.217

79.110.52.215

45.9.20.190

45.9.20.128

aerukoneru.site

serukoneru.site

yerukoneru.site

karfaganda.com

Attributes

base_path
/tire/
build
260222
dga_season
10
exe_type
loader
extension
.eta
server_id
12

rsa_pubkey.plain

serpent.plain

rsa_pubkey.plain

rsa_pubkey.plain

Targets

- Target
  
  6.png
- Size
  
  1.7MB
- MD5
  
  ac57d694b86d8532b38d3d62f6de3afc
- SHA1
  
  c858ec742ba91bf8c139b7bb654ca2d67747c5ef
- SHA256
  
  fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
- SHA512
  
  cd9635d667a43c0d6715ec05c114c424b3f1292d7997c8d6c86f937ff81a08262763d33621c7d75d3c2a5fac75b58c71489fe3360fd4a2d6c804e7a72a06683b
Score

10^/10

gozi_ifsb 8899 banker suricata trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata
- suricata: ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12
  suricata: ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12
  suricata
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb8899bankersuricatatrojan

behavioral2

gozi_ifsb8899bankersuricatatrojan

© 2018-2024

Terms | Privacy