gozi_ifsb | 1690e6dc209cf184d37b9ab4a7a66a291ae7c1e045df91c19c5036ba90b3e251

General

Target

1690e6dc209cf184d37b9ab4a7a66a291ae7c1e045df91c19c5036ba90b3e251
Size

37KB
Sample

220919-y6s92abffr
MD5

e95b96c3cdd316f1be76a3ad746f63bc
SHA1

63fbf324525828bb464cb2f9b793ca29bb83e9d5
SHA256

1690e6dc209cf184d37b9ab4a7a66a291ae7c1e045df91c19c5036ba90b3e251
SHA512

f6b55de10ef749fad45ef5f4e820f63e42285f94c0239dec9d049d0bd81c30ad242254e475ac33260e09b5d47e674e3e17fb73587b7220bfa9aa705dbb54f89c
SSDEEP

768:Q41V8UHIm2fyyr96/SNxoZC/OFYbmVvP0rhAuCzL+rZhgbtuPja1xDiMxy:QefIZfdMexoGvmQhARarEMoxDi0y

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Botnet

40000

C2

trackingg-protectioon.cdn1.mozilla.net

45.8.158.104

188.127.224.114

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

iujdhsndjfks.com

Attributes

base_path
/uploaded/
build
250240
exe_type
loader
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

40000

C2

trackingg-protectioon.cdn1.mozilla.net

45.8.158.104

188.127.224.114

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

iujdhsndjfks.com

Attributes

base_path
/uploaded/
build
250246
exe_type
worker
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  1690e6dc209cf184d37b9ab4a7a66a291ae7c1e045df91c19c5036ba90b3e251
- Size
  
  37KB
- MD5
  
  e95b96c3cdd316f1be76a3ad746f63bc
- SHA1
  
  63fbf324525828bb464cb2f9b793ca29bb83e9d5
- SHA256
  
  1690e6dc209cf184d37b9ab4a7a66a291ae7c1e045df91c19c5036ba90b3e251
- SHA512
  
  f6b55de10ef749fad45ef5f4e820f63e42285f94c0239dec9d049d0bd81c30ad242254e475ac33260e09b5d47e674e3e17fb73587b7220bfa9aa705dbb54f89c
- SSDEEP
  
  768:Q41V8UHIm2fyyr96/SNxoZC/OFYbmVvP0rhAuCzL+rZhgbtuPja1xDiMxy:QefIZfdMexoGvmQhARarEMoxDi0y
Score

10^/10

gozi_ifsb 40000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2