gozi_ifsb | 3d37a039f510721efc2a3b8970ec02bb1805459acf9f898c490f9417972987bf

General

Target

63297b019069d.pdf
Size

504KB
Sample

220920-kgs13sgafm
MD5

d9af455fda42e5338a154d5b6abbce7c
SHA1

27023986e041140313474bb255f0dc1be03ac277
SHA256

3d37a039f510721efc2a3b8970ec02bb1805459acf9f898c490f9417972987bf
SHA512

75ed1c03027051d7838911b65948d5854bfb857598dc5cf739ed19bad49e85237c75b76ab7de17b1f91b43a88b00a91f441b17c8db93aa23ad3c17fbe937621e
SSDEEP

6144:/EZjSPANWjOuuPdo4JrNOiduRVBVSjcdZ0nPjlv7oppo7490BszloJ5ICZO/+:KdlJOkuRVfa48LljoppoE90Co5dL

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

89.41.26.99

89.45.4.102

193.106.191.163

interstarts.top

superlist.top

internetcoca.in

Attributes

base_path
/drew/
build
250246
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

interliner.top

interlinel.top

superliner.top

superlinez.top

internetlined.com

internetlines.in

medialists.su

medialists.ru

mediawagi.info

mediawagi.ru

89.41.26.90

89.41.26.93

denterdrigx.com

digserchx.at

Attributes

base_path
/images/
build
250246
exe_type
worker
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  63297b019069d.pdf
- Size
  
  504KB
- MD5
  
  d9af455fda42e5338a154d5b6abbce7c
- SHA1
  
  27023986e041140313474bb255f0dc1be03ac277
- SHA256
  
  3d37a039f510721efc2a3b8970ec02bb1805459acf9f898c490f9417972987bf
- SHA512
  
  75ed1c03027051d7838911b65948d5854bfb857598dc5cf739ed19bad49e85237c75b76ab7de17b1f91b43a88b00a91f441b17c8db93aa23ad3c17fbe937621e
- SSDEEP
  
  6144:/EZjSPANWjOuuPdo4JrNOiduRVBVSjcdZ0nPjlv7oppo7490BszloJ5ICZO/+:KdlJOkuRVfa48LljoppoE90Co5dL
Score

10^/10

gozi_ifsb 3000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2