gozi_ifsb | 2804e1927303f37313996430c3f824db6f0a471793ccae5d5e29216c60bda682 | Triage

Sharing

General

Target

2804e1927303f37313996430c3f824db6f0a471793ccae5d5e29216c60bda682
Size

746KB
Sample

220306-1vryyahcbp
MD5

97f94973600a1621a88f29704ccd221b
SHA1

0919ba792fd99f6d38807616125eeb2dc7b91f5b
SHA256

2804e1927303f37313996430c3f824db6f0a471793ccae5d5e29216c60bda682
SHA512

98b97764d79336814c4f1974cb896f8b8ecd3e43a64c07ea5212b06f74f68301cc3b1ec6b15244e8d4e298e464aacec85ddfd59eefa42dd9cd07d3b70e225a6e

Score

10^/10

gozi_ifsb 1100 banker suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1100

C2

api10.laptok.at/api1

Attributes

build
250157
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  2804e1927303f37313996430c3f824db6f0a471793ccae5d5e29216c60bda682
- Size
  
  746KB
- MD5
  
  97f94973600a1621a88f29704ccd221b
- SHA1
  
  0919ba792fd99f6d38807616125eeb2dc7b91f5b
- SHA256
  
  2804e1927303f37313996430c3f824db6f0a471793ccae5d5e29216c60bda682
- SHA512
  
  98b97764d79336814c4f1974cb896f8b8ecd3e43a64c07ea5212b06f74f68301cc3b1ec6b15244e8d4e298e464aacec85ddfd59eefa42dd9cd07d3b70e225a6e
Score

10^/10

gozi_ifsb 1100 banker suricata trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb1100bankersuricatatrojan

behavioral2

gozi_ifsb1100bankersuricatatrojan