gozi_ifsb | 893ba03135a5e8e53d4413ae269f85cab2dd56b451bd99cc233064df402d3f84 | Triage

Sharing

General

Target

89.exe
Size

37KB
Sample

220923-jw7x4shecj
MD5

6fd188840e7d734b23a5b22ae7eb0e6d
SHA1

d156adc662164a272c8a70ac013cae8b9dfdf6fb
SHA256

893ba03135a5e8e53d4413ae269f85cab2dd56b451bd99cc233064df402d3f84
SHA512

c63eb0695e5dc2dc8b643a8c7cbd4c499be9ad6236d8792f5ec1ac4ad6bc22b82e8aa01f6a859240151e8534f920cf71e45123a424ee1efa8178cc813464b2c1
SSDEEP

768:SsdUYVI40pItPyDOXXQepWOr60DiREQwFepXBkiKbXuDtcSqDZKkCIof:jFVI4ttPbmOr5iREh8jpDuAFIof

Score

10^/10

gozi_ifsb 1200 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1200

C2

anrfrm.msn.com

194.76.225.90

msggi.msn.com

194.76.225.56

194.76.225.91

Attributes

base_path
/zerobin/
build
250239
exe_type
loader
extension
.bon
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

1200

C2

arrrm.msn.com

185.212.47.240

arfrfm.msn.com

176.10.119.51

185.212.47.244

185.189.151.165

194.76.225.57

Attributes

base_path
/zerobin/
build
250239
exe_type
worker
extension
.bon
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  89.exe
- Size
  
  37KB
- MD5
  
  6fd188840e7d734b23a5b22ae7eb0e6d
- SHA1
  
  d156adc662164a272c8a70ac013cae8b9dfdf6fb
- SHA256
  
  893ba03135a5e8e53d4413ae269f85cab2dd56b451bd99cc233064df402d3f84
- SHA512
  
  c63eb0695e5dc2dc8b643a8c7cbd4c499be9ad6236d8792f5ec1ac4ad6bc22b82e8aa01f6a859240151e8534f920cf71e45123a424ee1efa8178cc813464b2c1
- SSDEEP
  
  768:SsdUYVI40pItPyDOXXQepWOr60DiREQwFepXBkiKbXuDtcSqDZKkCIof:jFVI4ttPbmOr5iREh8jpDuAFIof
Score

10^/10

gozi_ifsb 1200 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_ifsb1200bankertrojan

behavioral2

gozi_ifsb1200bankertrojan