Overview

overview

10

Static

static

39eea40fdc...cc.exe

windows7_x64

10

39eea40fdc...cc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    39eea40fdc333ea98b9c03a4b2dc435fc1b03068746d8b996524a30acd8601cc

  • Size

    370KB

  • Sample

    220625-h6kd5aahfq

  • MD5

    6bafe8c77eff3053b5aa90804fe98070

  • SHA1

    86ea85a8593df980171d01716f81d9a032f55c09

  • SHA256

    39eea40fdc333ea98b9c03a4b2dc435fc1b03068746d8b996524a30acd8601cc

  • SHA512

    e682e56c9e8d77ce293bad91dea309b5c02b723602f8b2793c5fff8703f521af52d3e1b14185631532937d64eede360901b3a2a1b07e46c3aac4699176f9d045

Score
10/10
gozi_ifsb2000bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    217061

Extracted

Family

gozi_ifsb

Botnet

2000

C2

intro.tir001.at/rpc

doa.quappak.at/rpc

api.siperskon.at/rpc

io.tir001.at/rpc

ytruieowphf.bit/rpc

u2.ceelop.at/rpc

enter.nokartoon.at/rpc

api.nwq2000.at/rpc

cd.iqwoker.at/rpc

api.fin150.at/rpc

chat.loop1000.at/rpc

chat.iqwoker.at/rpc

mahono.cn/rpc
Attributes
  • build

    217061

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • dns_servers

    192.71.245.208

    8.8.8.8

    178.17.170.179

    82.196.9.45

    151.80.222.79

    68.183.70.217

    217.144.135.7

    158.69.160.164

    207.148.83.241

    5.189.170.196

    217.144.132.148

    94.247.43.254

    188.165.200.156

    159.89.249.249

    150.249.149.222

  • exe_type

    loader

  • server_id

    150

rsa_pubkey.plain
serpent.plain

Targets

    • Target

      39eea40fdc333ea98b9c03a4b2dc435fc1b03068746d8b996524a30acd8601cc

    • Size

      370KB

    • MD5

      6bafe8c77eff3053b5aa90804fe98070

    • SHA1

      86ea85a8593df980171d01716f81d9a032f55c09

    • SHA256

      39eea40fdc333ea98b9c03a4b2dc435fc1b03068746d8b996524a30acd8601cc

    • SHA512

      e682e56c9e8d77ce293bad91dea309b5c02b723602f8b2793c5fff8703f521af52d3e1b14185631532937d64eede360901b3a2a1b07e46c3aac4699176f9d045

    Score
    10/10
    gozi_ifsb2000bankertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks