Overview

overview

10

Static

static

10

4e.exe

windows7-x64

10

4e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4e.exe

  • Size

    37KB

  • Sample

    220923-h6nfsahdgj

  • MD5

    ff981f29daba877bc365211aabfe8801

  • SHA1

    f9d94bb62c230210afdde498ec0b0c119edb3466

  • SHA256

    4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658

  • SHA512

    14740e902bec6ebe8fafd62b8042d087888a35f4f7906c13723fe8c85f48fb5cc65aa37222404d0b641ba60c37fa44aeea03bfd12fd37dc1d832fd13e2c48d43

  • SSDEEP

    768:WtGIijUZYyyS3LaihVw8X/vrJEKmK9FhbYaMx4LqLriNdDAVGYRa09BV31C:gZi947aivwmrJEKmK9VMxWOrMd4X7p

Score
10/10
gozi_ifsb1900bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1900

C2

tel.msn.com

194.76.225.60

185.212.47.133
Attributes
  • base_path

    /doorway/

  • build

    250235

  • exe_type

    loader

  • extension

    .drr

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

1900

C2

apnfy.msn.com

194.76.225.61

185.212.47.186

45.11.180.215

45.11.180.219
Attributes
  • base_path

    /doorway/

  • build

    250240

  • exe_type

    worker

  • extension

    .drr

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      4e.exe

    • Size

      37KB

    • MD5

      ff981f29daba877bc365211aabfe8801

    • SHA1

      f9d94bb62c230210afdde498ec0b0c119edb3466

    • SHA256

      4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658

    • SHA512

      14740e902bec6ebe8fafd62b8042d087888a35f4f7906c13723fe8c85f48fb5cc65aa37222404d0b641ba60c37fa44aeea03bfd12fd37dc1d832fd13e2c48d43

    • SSDEEP

      768:WtGIijUZYyyS3LaihVw8X/vrJEKmK9FhbYaMx4LqLriNdDAVGYRa09BV31C:gZi947aivwmrJEKmK9VMxWOrMd4X7p

    Score
    10/10
    gozi_ifsb1900bankertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

2
T1018

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks