gozi_ifsb | c206f90bd8e3a34f7eb522e01dba93e5dd8282a7573bbf03e6a91434c9d4a7fa | Triage

Sharing

General

Target

c206f90bd8e3a34f7eb522e01dba93e5dd8282a7573bbf03e6a91434c9d4a7fa
Size

42KB
Sample

220201-k94chscfd9
MD5

50f6f5e7eed54c3d981f33fce45bcfe5
SHA1

2e6dea36eeda83e5f8f7d4bf3589d6bca42c50ed
SHA256

c206f90bd8e3a34f7eb522e01dba93e5dd8282a7573bbf03e6a91434c9d4a7fa
SHA512

c2665fd557a4f405cbb62bd8ce253a831783b44375f4538a14915ef433d39d003455ebaca3d50998701ca3a6f198073c742348d5d6e3dbb20dd5a3c14bf786a0

Score

10^/10

gozi_ifsb 2000 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
217107

Extracted

Family

gozi_ifsb

Botnet

2000

C2

w8.wensa.at/api1

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
dns_servers
193.183.98.66
51.15.98.97
94.247.43.254
195.10.195.195
8.8.8.8
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  c206f90bd8e3a34f7eb522e01dba93e5dd8282a7573bbf03e6a91434c9d4a7fa
- Size
  
  42KB
- MD5
  
  50f6f5e7eed54c3d981f33fce45bcfe5
- SHA1
  
  2e6dea36eeda83e5f8f7d4bf3589d6bca42c50ed
- SHA256
  
  c206f90bd8e3a34f7eb522e01dba93e5dd8282a7573bbf03e6a91434c9d4a7fa
- SHA512
  
  c2665fd557a4f405cbb62bd8ce253a831783b44375f4538a14915ef433d39d003455ebaca3d50998701ca3a6f198073c742348d5d6e3dbb20dd5a3c14bf786a0
Score

10^/10

gozi_ifsb 2000 banker trojan persistence
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb2000bankertrojan

behavioral2

gozi_ifsb2000bankerpersistencetrojan