gozi_ifsb | 029940bbdcf98c98a682c7e0af998b58aced8e0530fffc4caf97f466544f66ab | Triage

Sharing

General

Target

250224.exe
Size

36KB
Sample

220304-j8er4aeag4
MD5

8a303945bd046ffb8e2e8c45af7c4429
SHA1

d815f5d692d655ff2e5e5d1edf7e39cad1833d8b
SHA256

029940bbdcf98c98a682c7e0af998b58aced8e0530fffc4caf97f466544f66ab
SHA512

27b0b87ef17d9a3386ff41349dc55984e38b4e45b14472d1b49cdeb30b71947f5edef4c4a86d28e7d68739865b58e21c2d8e5aaefe4dd1b7fdd84676d527edfd

Score

10^/10

gozi_ifsb 20000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/signin

143.198.56.58

Attributes

base_path
/peer/
build
250225
exe_type
loader
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

C2

skype.com/login

143.198.56.58

Attributes

base_path
/images/
build
250225
exe_type
worker
extension
.prv
server_id
50

rsa_pubkey.plain

aes.plain

rsa_pubkey.plain

Targets

- Target
  
  250224.exe
- Size
  
  36KB
- MD5
  
  8a303945bd046ffb8e2e8c45af7c4429
- SHA1
  
  d815f5d692d655ff2e5e5d1edf7e39cad1833d8b
- SHA256
  
  029940bbdcf98c98a682c7e0af998b58aced8e0530fffc4caf97f466544f66ab
- SHA512
  
  27b0b87ef17d9a3386ff41349dc55984e38b4e45b14472d1b49cdeb30b71947f5edef4c4a86d28e7d68739865b58e21c2d8e5aaefe4dd1b7fdd84676d527edfd
Score

10^/10

gozi_ifsb 20000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

gozi_ifsb20000bankertrojan