gozi_ifsb | edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f

General

Target

ssee.exe
Size

2.5MB
Sample

220304-j283csffdn
MD5

b545e2b0fdf47667624c08999c0b873e
SHA1

da6f23f5a9fbd123025d6a2b9cd39c2355b7345c
SHA256

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
SHA512

908dc1ec45f023e649b9de0cc7cf32f2a02a404012cf78c393dce2b8064350a3ab1b8e541a920a6fdb94a17d05547ad77a1eda6a4e1c204472cf71749e71bda2

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/signin

143.198.56.58

Attributes

base_path
/peer/
build
250225
exe_type
loader
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/login

143.198.56.58

Attributes

base_path
/images/
build
250225
exe_type
worker
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

rsa_pubkey.plain

Targets

- Target
  
  ssee.exe
- Size
  
  2.5MB
- MD5
  
  b545e2b0fdf47667624c08999c0b873e
- SHA1
  
  da6f23f5a9fbd123025d6a2b9cd39c2355b7345c
- SHA256
  
  edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
- SHA512
  
  908dc1ec45f023e649b9de0cc7cf32f2a02a404012cf78c393dce2b8064350a3ab1b8e541a920a6fdb94a17d05547ad77a1eda6a4e1c204472cf71749e71bda2
Score

10^/10

gozi_ifsb 20000 banker suricata trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon
  suricata: ET MALWARE Ursnif Variant CnC Beacon
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Remote System Discovery

2

T1018

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

suricata: ET MALWARE Ursnif Variant CnC Beacon

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

suricata: ET MALWARE Ursnif Variant CnC Data Exfil

Downloads MZ/PE file

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2