Overview

overview

10

Static

static

SecuriteIn...50.exe

windows7_x64

10

SecuriteIn...50.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Suspicious.Win32.Save.a.31250.26774

  • Size

    208KB

  • Sample

    220302-2ljrmsgdg3

  • MD5

    83c0ef52beab49e8094e11b315220f78

  • SHA1

    9996f592ddc8aa205113f2d611ef3e3aca1ba13b

  • SHA256

    ca46cdaacb0f193d203f135cd546310e06125405c9c44648f10f1dbcdb343ca0

  • SHA512

    9310ad1a4069e4c8e5700b04f6170fcb8129b4ec16711539546693310a4576305bb6bc5e95626ed029311123e7b99f63e9a60acd5564b5ee3eb52cd8b4b5b9cb

Score
10/10
gozi_ifsb20000bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/signin

143.198.56.58
Attributes
  • base_path

    /peer/

  • build

    250225

  • exe_type

    loader

  • extension

    .prv

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/login

143.198.56.58
Attributes
  • base_path

    /images/

  • build

    250225

  • exe_type

    worker

  • extension

    .prv

  • server_id

    50

rsa_pubkey.plain
aes.plain
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Suspicious.Win32.Save.a.31250.26774

    • Size

      208KB

    • MD5

      83c0ef52beab49e8094e11b315220f78

    • SHA1

      9996f592ddc8aa205113f2d611ef3e3aca1ba13b

    • SHA256

      ca46cdaacb0f193d203f135cd546310e06125405c9c44648f10f1dbcdb343ca0

    • SHA512

      9310ad1a4069e4c8e5700b04f6170fcb8129b4ec16711539546693310a4576305bb6bc5e95626ed029311123e7b99f63e9a60acd5564b5ee3eb52cd8b4b5b9cb

    Score
    10/10
    gozi_ifsb20000bankertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

2
T1018

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks