gozi_ifsb | 463aa416fbdc52fec03c0d238997a4699d765b5023246816b8a8d8efd32a9f8f | Triage

Submit
Reports

Overview

overview

Static

static

463aa416fb...8f.exe

windows7_x64

463aa416fb...8f.exe

windows10-2004_x64

Sharing

General

Target

463aa416fbdc52fec03c0d238997a4699d765b5023246816b8a8d8efd32a9f8f
Size

247KB
Sample

220707-ldzvwschg4
MD5

8ca975c4f8bb576f6b6b18b842509f27
SHA1

1ba1152336570c93a3779718127ad24f5b72244d
SHA256

463aa416fbdc52fec03c0d238997a4699d765b5023246816b8a8d8efd32a9f8f
SHA512

e3ec514873b30e9aa049936c8615c6cf6b37cd38e6bf86044454357a8563798ed5ddf7df722a0b7f14ea18d68603fda2c23707496f8f57bc19d00bcf0eb18823

Score

10^/10

gozi_ifsb 1000 banker persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

463aa416fbdc52fec03c0d238997a4699d765b5023246816b8a8d8efd32a9f8f.exe

Resource

win7-20220414-en

gozi_ifsb 1000 banker persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

463aa416fbdc52fec03c0d238997a4699d765b5023246816b8a8d8efd32a9f8f.exe

Resource

win10v2004-20220414-en

gozi_ifsb 1000 banker persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

C2

musicvideotips.ru

musicvideoporntips.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  463aa416fbdc52fec03c0d238997a4699d765b5023246816b8a8d8efd32a9f8f
- Size
  
  247KB
- MD5
  
  8ca975c4f8bb576f6b6b18b842509f27
- SHA1
  
  1ba1152336570c93a3779718127ad24f5b72244d
- SHA256
  
  463aa416fbdc52fec03c0d238997a4699d765b5023246816b8a8d8efd32a9f8f
- SHA512
  
  e3ec514873b30e9aa049936c8615c6cf6b37cd38e6bf86044454357a8563798ed5ddf7df722a0b7f14ea18d68603fda2c23707496f8f57bc19d00bcf0eb18823
Score

10^/10

gozi_ifsb 1000 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb1000bankerpersistencetrojan

behavioral2

gozi_ifsb1000bankerpersistencetrojan

© 2018-2024

Terms | Privacy