gozi_ifsb | 4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658 | Triage

Sharing

General

Target

4e.exe
Size

37KB
Sample

220923-h6nfsahdgj
MD5

ff981f29daba877bc365211aabfe8801
SHA1

f9d94bb62c230210afdde498ec0b0c119edb3466
SHA256

4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658
SHA512

14740e902bec6ebe8fafd62b8042d087888a35f4f7906c13723fe8c85f48fb5cc65aa37222404d0b641ba60c37fa44aeea03bfd12fd37dc1d832fd13e2c48d43
SSDEEP

768:WtGIijUZYyyS3LaihVw8X/vrJEKmK9FhbYaMx4LqLriNdDAVGYRa09BV31C:gZi947aivwmrJEKmK9VMxWOrMd4X7p

Score

10^/10

gozi_ifsb 1900 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1900

C2

tel.msn.com

194.76.225.60

185.212.47.133

Attributes

base_path
/doorway/
build
250235
exe_type
loader
extension
.drr
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

1900

C2

apnfy.msn.com

194.76.225.61

185.212.47.186

45.11.180.215

45.11.180.219

Attributes

base_path
/doorway/
build
250240
exe_type
worker
extension
.drr
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  4e.exe
- Size
  
  37KB
- MD5
  
  ff981f29daba877bc365211aabfe8801
- SHA1
  
  f9d94bb62c230210afdde498ec0b0c119edb3466
- SHA256
  
  4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658
- SHA512
  
  14740e902bec6ebe8fafd62b8042d087888a35f4f7906c13723fe8c85f48fb5cc65aa37222404d0b641ba60c37fa44aeea03bfd12fd37dc1d832fd13e2c48d43
- SSDEEP
  
  768:WtGIijUZYyyS3LaihVw8X/vrJEKmK9FhbYaMx4LqLriNdDAVGYRa09BV31C:gZi947aivwmrJEKmK9VMxWOrMd4X7p
Score

10^/10

gozi_ifsb 1900 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_ifsb1900bankertrojan

behavioral2

gozi_ifsb1900bankertrojan