gozi_ifsb | 4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412

General

Target

4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412
Size

427KB
Sample

220712-e3ahzabaem
MD5

2eb14920c75d5e73264f77cfa273ad2c
SHA1

6c5360d41bd2b14b1565f5b18e5c203cf512e493
SHA256

4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412
SHA512

d02e405f61e4c4d5797fad492f28621acdbdbfa2c8238a74538b264dba6c847435c900502889e7bbc6f9bcb5d68858d52bb7b8243c6117884540fbe7e35aff20

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214745

Extracted

Family

gozi_ifsb

Botnet

1020

C2

base.convertspendingtocash.com/htue503dt

base.makaniri.com/htue503dt

base.parhao.com/htue503dt

base.elliott-smith.net/htue503dt

executenet.pw/htue503dt

Attributes

build
214745
exe_type
worker
server_id
60

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412
- Size
  
  427KB
- MD5
  
  2eb14920c75d5e73264f77cfa273ad2c
- SHA1
  
  6c5360d41bd2b14b1565f5b18e5c203cf512e493
- SHA256
  
  4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412
- SHA512
  
  d02e405f61e4c4d5797fad492f28621acdbdbfa2c8238a74538b264dba6c847435c900502889e7bbc6f9bcb5d68858d52bb7b8243c6117884540fbe7e35aff20
Score

10^/10

gozi_ifsb 1020 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2