gozi_ifsb | ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3 | Triage

Sharing

General

Target

ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3
Size

213KB
Sample

220701-hex6xahhc4
MD5

dff480cd23f848f857536e74007a4d15
SHA1

e5812cb089df331d5904173b8fb632de04d0994c
SHA256

ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3
SHA512

5fd4221823d82f207cb92998170fe82889a7a1616ecd3a6feb29dac6a297512cfb8678accbd92f68648191bf9042c57964fddebbfd51c79e136ca7998c6ef1d2

Score

10^/10

gozi_ifsb 2000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2000

C2

foo.fulldin.at/webstore

bat.fulldin.at/webstore

Attributes

build
217107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
dns_servers
193.183.98.66
89.40.116.230
94.247.43.254
195.10.195.195
8.8.8.8
exe_type
loader
server_id
550

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3
- Size
  
  213KB
- MD5
  
  dff480cd23f848f857536e74007a4d15
- SHA1
  
  e5812cb089df331d5904173b8fb632de04d0994c
- SHA256
  
  ecc8442d71e5f124b3f368e351a6d5bb094a2f64ecb7618dc233c3fbaae31cb3
- SHA512
  
  5fd4221823d82f207cb92998170fe82889a7a1616ecd3a6feb29dac6a297512cfb8678accbd92f68648191bf9042c57964fddebbfd51c79e136ca7998c6ef1d2
Score

10^/10

gozi_ifsb 2000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb2000bankertrojan

behavioral2

gozi_ifsb2000bankertrojan