gozi_ifsb | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72 | Triage

Submit
Reports

Overview

overview

Static

static

l0V19y95

windows7_x64

Sharing

General

Target

l0V19y95
Size

717B
Sample

220525-tdgy3sffar
MD5

54e9306f95f32e50ccd58af19753d929
SHA1

eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256

45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512

8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Score

10^/10

gozi_ifsb 3000 banker persistence suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

l0V19y95

Resource

win7-20220414-it

gozi_ifsb 3000 banker persistence suricata trojan

windows7_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

176.10.119.68

176.10.119.81

Attributes

base_path
/drew/
build
250229
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

cabrioxmdes.at

gamexperts.net

37.10.71.138

185.158.250.51

Attributes

base_path
/images/
exe_type
worker
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  l0V19y95
- Size
  
  717B
- MD5
  
  54e9306f95f32e50ccd58af19753d929
- SHA1
  
  eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
- SHA256
  
  45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
- SHA512
  
  8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
Score

10^/10

gozi_ifsb 3000 banker persistence suricata trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon
  suricata: ET MALWARE Ursnif Variant CnC Beacon
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Process Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb3000bankerpersistencesuricatatrojan

© 2018-2024

Terms | Privacy