Overview

overview

10

Static

static

Installer4.8.msi

windows7-x64

8

Installer4.8.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Installer4.8.msi

  • Size

    108.2MB

  • Sample

    220927-we39taeah7

  • MD5

    d9398da0a685c457f2d103fd3ac8163a

  • SHA1

    559ab94994830e1fe84c084fa26dfbd1104f15be

  • SHA256

    97182caf61b84247b0ac06b824dd8de0cf06bb1a78486cc970b300f3e6edc20f

  • SHA512

    b628b60e28ead8b6a1f29c50b87fca49aeb7497449795e5342a1f748d5e24d089d713380d651dc568f08ef51afe150d8f393086d1f11aa20f258b239f117a334

  • SSDEEP

    3145728:4FEp1cAjJNOCsXvY27nm0LT419R/pt8OBp4e0/QNou:l7FfknLdTC9R/piq0

Score
10/10
gozi_ifsb10101bankerdiscoverypersistencespywarestealertrojanupx

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10101

C2

trackingg-protectioon.cdn1.mozilla.net

45.8.158.104

188.127.224.114

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

iujdhsndjfks.com
Attributes
  • base_path

    /uploaded/

  • build

    250246

  • exe_type

    loader

  • extension

    .pct

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      Installer4.8.msi

    • Size

      108.2MB

    • MD5

      d9398da0a685c457f2d103fd3ac8163a

    • SHA1

      559ab94994830e1fe84c084fa26dfbd1104f15be

    • SHA256

      97182caf61b84247b0ac06b824dd8de0cf06bb1a78486cc970b300f3e6edc20f

    • SHA512

      b628b60e28ead8b6a1f29c50b87fca49aeb7497449795e5342a1f748d5e24d089d713380d651dc568f08ef51afe150d8f393086d1f11aa20f258b239f117a334

    • SSDEEP

      3145728:4FEp1cAjJNOCsXvY27nm0LT419R/pt8OBp4e0/QNou:l7FfknLdTC9R/piq0

    Score
    10/10
    gozi_ifsb10101bankerdiscoverypersistencespywarestealertrojanupx

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks