gozi_ifsb | 96f13595050ebbbb7e919872631a913867cb282f59e2d687479b419ecd058da2

General

Target

a88085e0251fd795e39ba02de1ebaf7c
Size

432KB
Sample

220707-vzt17sefb8
MD5

a88085e0251fd795e39ba02de1ebaf7c
SHA1

d25052c9a633f8a118c9e89a923bbb1df2d2c5f5
SHA256

96f13595050ebbbb7e919872631a913867cb282f59e2d687479b419ecd058da2
SHA512

a2d63443e117e0fa73d118689fe6b8aa1728e80c89f41c6b5524c6d17fd79dbbe9c49f8f47ddf461aec486239b7918a1a7982caab2f15f5c40a00322f7e263da

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

79.110.52.164

79.110.52.97

Attributes

base_path
/drew/
build
250239
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

deohomexm.at

79.110.52.244

23.227.202.64

Attributes

base_path
/images/
build
250239
exe_type
worker
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  a88085e0251fd795e39ba02de1ebaf7c
- Size
  
  432KB
- MD5
  
  a88085e0251fd795e39ba02de1ebaf7c
- SHA1
  
  d25052c9a633f8a118c9e89a923bbb1df2d2c5f5
- SHA256
  
  96f13595050ebbbb7e919872631a913867cb282f59e2d687479b419ecd058da2
- SHA512
  
  a2d63443e117e0fa73d118689fe6b8aa1728e80c89f41c6b5524c6d17fd79dbbe9c49f8f47ddf461aec486239b7918a1a7982caab2f15f5c40a00322f7e263da
Score

10^/10

gozi_ifsb 3000 banker trojan suricata
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
  suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
  suricata
- suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
  suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
  suricata
- suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata: ET MALWARE Ursnif Variant CnC Data Exfil
  suricata
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

suricata: ET MALWARE Ursnif Variant CnC Data Exfil

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2