gozi_ifsb | 3b3c2bbd44645af71db243bdb80635e8ab9e5c6c830d1362ad0fbb439c22c4f3 | Triage

Submit
Reports

Overview

overview

Static

static

3b3c2bbd44...f3.exe

windows7_x64

3b3c2bbd44...f3.exe

windows10-2004_x64

Sharing

General

Target

3b3c2bbd44645af71db243bdb80635e8ab9e5c6c830d1362ad0fbb439c22c4f3
Size

369KB
Sample

220703-vp6x1sbgg5
MD5

506e018cc6924a36703773cfe8310746
SHA1

3ade716c25d6c7417316687dfd16af63b85eb3b5
SHA256

3b3c2bbd44645af71db243bdb80635e8ab9e5c6c830d1362ad0fbb439c22c4f3
SHA512

62032047608c35cf94e561b8501330723165300dc86262023eb312dab6f1b49c81c26e25e7c121591b79f9a1be40df158a7e788108c7b339270d9e60681d4baa

Score

10^/10

gozi_ifsb 1000 banker persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

3b3c2bbd44645af71db243bdb80635e8ab9e5c6c830d1362ad0fbb439c22c4f3.exe

Resource

win7-20220414-en

gozi_ifsb 1000 banker persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3b3c2bbd44645af71db243bdb80635e8ab9e5c6c830d1362ad0fbb439c22c4f3.exe

Resource

win10v2004-20220414-en

gozi_ifsb 1000 banker persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

C2

dipsitripsikey70.com/adwordsdata/dropbox/xxx

underbulletkey77.com/adwordsdata/dropbox/xxx

statisticaregger32.com/adwordsdata/dropbox/xxx

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  3b3c2bbd44645af71db243bdb80635e8ab9e5c6c830d1362ad0fbb439c22c4f3
- Size
  
  369KB
- MD5
  
  506e018cc6924a36703773cfe8310746
- SHA1
  
  3ade716c25d6c7417316687dfd16af63b85eb3b5
- SHA256
  
  3b3c2bbd44645af71db243bdb80635e8ab9e5c6c830d1362ad0fbb439c22c4f3
- SHA512
  
  62032047608c35cf94e561b8501330723165300dc86262023eb312dab6f1b49c81c26e25e7c121591b79f9a1be40df158a7e788108c7b339270d9e60681d4baa
Score

10^/10

gozi_ifsb 1000 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb1000bankerpersistencetrojan

behavioral2

gozi_ifsb1000bankerpersistencetrojan

© 2018-2024

Terms | Privacy