gozi_ifsb | 251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f | Triage

Sharing

General

Target

62c6b5af0566b.dll
Size

432KB
Sample

220707-mld4tsfca8
MD5

82186dbbba674eaeed2b4bb95a5a9fac
SHA1

00d0e69a746d05039b63fdd94eb2bce6ce27a4a7
SHA256

251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f
SHA512

91ba44bf86c583ae28a09c20bebd7b6a9d253e690ce3f358b669d48d17980f0a9b7a40acaa9325f773504bb98edcc9e8edd252716628dd7a79e5394e06d782b4

Score

10^/10

gozi_ifsb 3000 banker suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

79.110.52.164

79.110.52.97

Attributes

base_path
/drew/
build
250239
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  62c6b5af0566b.dll
- Size
  
  432KB
- MD5
  
  82186dbbba674eaeed2b4bb95a5a9fac
- SHA1
  
  00d0e69a746d05039b63fdd94eb2bce6ce27a4a7
- SHA256
  
  251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f
- SHA512
  
  91ba44bf86c583ae28a09c20bebd7b6a9d253e690ce3f358b669d48d17980f0a9b7a40acaa9325f773504bb98edcc9e8edd252716628dd7a79e5394e06d782b4
Score

10^/10

gozi_ifsb 3000 banker trojan suricata
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb3000bankertrojan

behavioral2

gozi_ifsb3000bankersuricatatrojan