gozi_ifsb | 3f6fb13462259057e08c219d56d73a41d7ecd6c5e473fe5a22b7e295003e43cc | Triage

Sharing

General

Target

3f6fb13462259057e08c219d56d73a41d7ecd6c5e473fe5a22b7e295003e43cc
Size

944KB
Sample

220701-bz5m6aeegq
MD5

fc9f55ef05485c28de81abb8e85b29b5
SHA1

658ec409ce325ed086281014c6574aeb7522d590
SHA256

3f6fb13462259057e08c219d56d73a41d7ecd6c5e473fe5a22b7e295003e43cc
SHA512

e8db72cf17cfa4d86ded2240a2e7f1eb6da019bb0e868d9e26cfb2903709a4456e0688d2aaa3d2eaec828f691bf0a5c71779cc3451f2fba7ab4b311171f6de3f

Score

10^/10

gozi_ifsb 1000 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

C2

siberponis.com

baferdifo.com

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  3f6fb13462259057e08c219d56d73a41d7ecd6c5e473fe5a22b7e295003e43cc
- Size
  
  944KB
- MD5
  
  fc9f55ef05485c28de81abb8e85b29b5
- SHA1
  
  658ec409ce325ed086281014c6574aeb7522d590
- SHA256
  
  3f6fb13462259057e08c219d56d73a41d7ecd6c5e473fe5a22b7e295003e43cc
- SHA512
  
  e8db72cf17cfa4d86ded2240a2e7f1eb6da019bb0e868d9e26cfb2903709a4456e0688d2aaa3d2eaec828f691bf0a5c71779cc3451f2fba7ab4b311171f6de3f
Score

10^/10

gozi_ifsb 1000 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb1000bankerpersistencetrojan

behavioral2

gozi_ifsb1000bankertrojan