gozi_ifsb | 5061f35b959d1a36808515a9ef02fa92b54bd0448e38c5d9eeab3a89d5c5e97a | Triage

Sharing

General

Target

5061f35b959d1a36808515a9ef02fa92b54bd0448e38c5d9eeab3a89d5c5e97a
Size

134KB
Sample

220719-dsdxzahdfl
MD5

8a1495c8f27d36165e01cfa54468f34b
SHA1

ef62f4c1cb28610e75664b53ddccfcd0e80a6b9d
SHA256

5061f35b959d1a36808515a9ef02fa92b54bd0448e38c5d9eeab3a89d5c5e97a
SHA512

44b7ea57d88c4ae27029b2564a5250fcfe157bb6a702ead1a654b57e21b957919217dffa16efe4ee9e56c66f5ef0a04821fe7791c5df6a4312e22b4623f10206

Score

10^/10

gozi_ifsb 2000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2000

C2

api2.doter.at/webstore

beetfeetlife.bit/webstore

in.extermas.at/webstore

ax.zaravid.at/webstore

g2.ex100p.at/webstore

gif.doter.at/webstore

extra.avareg.cn/webstore

foo.avaregio.at/webstore

op.iovbased.at/webstore

ws.doter.at/webstore

f1.cnboal.at/webstore

xxx.doolap.at/webstore

Attributes

build
217061
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
dns_servers
51.255.48.78
8.8.8.8
192.71.245.208
51.15.98.97
178.17.170.179
193.183.98.66
207.148.83.241
111.67.20.8
103.236.162.119
142.4.205.47
213.136.85.253
159.89.249.249
82.196.9.45
exe_type
loader
server_id
550

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  5061f35b959d1a36808515a9ef02fa92b54bd0448e38c5d9eeab3a89d5c5e97a
- Size
  
  134KB
- MD5
  
  8a1495c8f27d36165e01cfa54468f34b
- SHA1
  
  ef62f4c1cb28610e75664b53ddccfcd0e80a6b9d
- SHA256
  
  5061f35b959d1a36808515a9ef02fa92b54bd0448e38c5d9eeab3a89d5c5e97a
- SHA512
  
  44b7ea57d88c4ae27029b2564a5250fcfe157bb6a702ead1a654b57e21b957919217dffa16efe4ee9e56c66f5ef0a04821fe7791c5df6a4312e22b4623f10206
Score

10^/10

gozi_ifsb 2000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

gozi_ifsb2000bankertrojan

behavioral2

gozi_ifsb2000bankertrojan