gozi_ifsb | 64a6b3f1924ebcd8d162482001721ee6459e23811055b6d9d79c8db2d7af327f

General

Target

64.exe
Size

37KB
Sample

220923-h4cw9shdfq
MD5

a0e3596ac737f7ca98538a1479e4cdd1
SHA1

b312eacda77ec55e6fb9fb62ab0b756ca50d8201
SHA256

64a6b3f1924ebcd8d162482001721ee6459e23811055b6d9d79c8db2d7af327f
SHA512

d67f340c9147f314e41e72c3a002ce6c22a538422f50f707b599b54458d7bf7db4824a748c249d8438e831a8b5bd0ca568cc2d23cedac32ad16f42c43b929d9a
SSDEEP

768:V41V8UHIm2qyiBMoxKRZsLgY5AQnkcgIHAs5Tdh77k3mNrow5:VefIZqtBR6Zsd5U8f5xhfk3eo

Score

10^/10

Malware Config

Extracted

Family

gozi_ifsb

Botnet

200000

C2

trackingg-protectioon.cdn1.mozilla.net

45.8.158.104

188.127.224.114

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

iujdhsndjfks.com

Attributes

base_path
/uploaded/
build
250240
exe_type
loader
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

200000

C2

trackingg-protectioon.cdn1.mozilla.net

45.8.158.104

188.127.224.114

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

iujdhsndjfks.com

Attributes

base_path
/uploaded/
build
250246
exe_type
worker
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  64.exe
- Size
  
  37KB
- MD5
  
  a0e3596ac737f7ca98538a1479e4cdd1
- SHA1
  
  b312eacda77ec55e6fb9fb62ab0b756ca50d8201
- SHA256
  
  64a6b3f1924ebcd8d162482001721ee6459e23811055b6d9d79c8db2d7af327f
- SHA512
  
  d67f340c9147f314e41e72c3a002ce6c22a538422f50f707b599b54458d7bf7db4824a748c249d8438e831a8b5bd0ca568cc2d23cedac32ad16f42c43b929d9a
- SSDEEP
  
  768:V41V8UHIm2qyiBMoxKRZsLgY5AQnkcgIHAs5Tdh77k3mNrow5:VefIZqtBR6Zsd5U8f5xhfk3eo
Score

10^/10

gozi_ifsb 200000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2