gozi_ifsb | f17c218281891da09fc54ff6cff10e8434a6710b3c0de540cd9ffd0c593792b3 | Triage

Sharing

General

Target

f17c218281891da09fc54ff6cff10e8434a6710b3c0de540cd9ffd0c593792b3
Size

177KB
Sample

220201-krhyvscce5
MD5

b4d2cdc7fffc68ca3ec95c30b96e3d18
SHA1

b4db6203fbecf2ef38372e0f9bbc3fe960e1f07a
SHA256

f17c218281891da09fc54ff6cff10e8434a6710b3c0de540cd9ffd0c593792b3
SHA512

349ee2feb39dddbe55ec33dd52a8b1988a2579cbcc40d89c1e6d330f46e2484561c41221b5c5f533581123044a4dfe89b78ac19d54c37241920965bcf721b4e7

Score

10^/10

gozi_ifsb 1071 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1071

C2

127.0.0.1

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  f17c218281891da09fc54ff6cff10e8434a6710b3c0de540cd9ffd0c593792b3
- Size
  
  177KB
- MD5
  
  b4d2cdc7fffc68ca3ec95c30b96e3d18
- SHA1
  
  b4db6203fbecf2ef38372e0f9bbc3fe960e1f07a
- SHA256
  
  f17c218281891da09fc54ff6cff10e8434a6710b3c0de540cd9ffd0c593792b3
- SHA512
  
  349ee2feb39dddbe55ec33dd52a8b1988a2579cbcc40d89c1e6d330f46e2484561c41221b5c5f533581123044a4dfe89b78ac19d54c37241920965bcf721b4e7
Score

10^/10

gozi_ifsb banker trojan persistence
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Sets service image path in registry
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsbbankertrojan

behavioral2

gozi_ifsbbankerpersistencetrojan