gozi_ifsb | fbd263fef5fd3d0033d57b36d4118780c7de4a615e568b54587dbaf7c5397037 | Triage

Sharing

General

Target

fbd263fef5fd3d0033d57b36d4118780c7de4a615e568b54587dbaf7c5397037
Size

162KB
Sample

220701-hw5mbaagc6
MD5

e8bf277e4cd749304f61e9d95275d397
SHA1

a2ad72750ccf2d6d84eb69504333536dfa0c89cb
SHA256

fbd263fef5fd3d0033d57b36d4118780c7de4a615e568b54587dbaf7c5397037
SHA512

da654e2df7ee680a3eb7470e1a51e1ab4382ed18b9f6f3915088558e23772522e3af11bb932b9f972b75402f595d2bd93f37666b620eac1706a927c4d9dc43f5

Score

10^/10

gozi_ifsb 3529 banker suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214107

Extracted

Family

gozi_ifsb

Botnet

3529

C2

gmail.com

google.com

nfyuabel.com

rwoodrowyioay.com

gqx21mcou.com

Attributes

build
214107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  fbd263fef5fd3d0033d57b36d4118780c7de4a615e568b54587dbaf7c5397037
- Size
  
  162KB
- MD5
  
  e8bf277e4cd749304f61e9d95275d397
- SHA1
  
  a2ad72750ccf2d6d84eb69504333536dfa0c89cb
- SHA256
  
  fbd263fef5fd3d0033d57b36d4118780c7de4a615e568b54587dbaf7c5397037
- SHA512
  
  da654e2df7ee680a3eb7470e1a51e1ab4382ed18b9f6f3915088558e23772522e3af11bb932b9f972b75402f595d2bd93f37666b620eac1706a927c4d9dc43f5
Score

10^/10

gozi_ifsb 3529 banker suricata trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb3529bankersuricatatrojan

behavioral2

gozi_ifsb3529bankertrojan