gozi_ifsb | b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73 | Triage

Submit
Reports

Overview

overview

Static

static

7382622743229626.xll

windows7_x64

7

7382622743229626.xll

windows10-2004_x64

Sharing

General

Target

7382622743229626.xll
Size

667KB
Sample

220303-x3a4lsdhfl
MD5

41a2f1ec8b11f55f61e09fb48decb301
SHA1

06ca167ffe9c806032f27d7b621c9380eb7136ed
SHA256

b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
SHA512

4b72b655ec855b5c08f714fc5ca6d4d256df1a95c377cab0350f88e377c6fe626c0e1aaa9f5a3a9fb9789afc4df715552a00ad2dac1ce93c8c9af9463f7cbb67

Score

10^/10

gozi_ifsb 20000 banker suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

7382622743229626.xll

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

7382622743229626.xll

Resource

win10v2004-en-20220112

gozi_ifsb 20000 banker suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/signin

143.198.56.58

Attributes

base_path
/peer/
build
250225
exe_type
loader
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/login

143.198.56.58

Attributes

base_path
/images/
build
250225
exe_type
worker
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

rsa_pubkey.plain

Targets

- Target
  
  7382622743229626.xll
- Size
  
  667KB
- MD5
  
  41a2f1ec8b11f55f61e09fb48decb301
- SHA1
  
  06ca167ffe9c806032f27d7b621c9380eb7136ed
- SHA256
  
  b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
- SHA512
  
  4b72b655ec855b5c08f714fc5ca6d4d256df1a95c377cab0350f88e377c6fe626c0e1aaa9f5a3a9fb9789afc4df715552a00ad2dac1ce93c8c9af9463f7cbb67
Score

10^/10

gozi_ifsb 20000 banker suricata trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon
  suricata: ET MALWARE Ursnif Variant CnC Beacon
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

gozi_ifsb20000bankersuricatatrojan

© 2018-2024

Terms | Privacy