gozi_ifsb | 554859fca727ca24661e8a62cd964a673f3df3e8b1746ebb7235ec6c87d14d3e | Triage

Sharing

General

Target

554859fca727ca24661e8a62cd964a673f3df3e8b1746ebb7235ec6c87d14d3e
Size

281KB
Sample

221002-19qdnaefen
MD5

013258b4005484f42888e377f7412fe0
SHA1

a48eb0f3adbafb7bb6b3f42c04db797aca60895b
SHA256

554859fca727ca24661e8a62cd964a673f3df3e8b1746ebb7235ec6c87d14d3e
SHA512

547f7942d5654dbca1b60bb72be466524c352e79347ece837f39ac1932f747d04c3a808f0ca53b52943b2cb8a93d4698599e9d6d98b20d3b35f0c03915b19dd9
SSDEEP

6144:EZ8DmM0rMJM19avyU2YGUsPKgUBHHBtTDWN2WC3y:3KMJMup2x5K5Bbl3y

Score

10^/10

gozi_ifsb 1015 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1015

C2

lgeywijneyke.us

puqcgfwgmftravot.com

itnnuubvifmaintg.com

rtsnysrusdtbh.net

pkgmvltcjk.org

Attributes

exe_type
worker
server_id
8

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  554859fca727ca24661e8a62cd964a673f3df3e8b1746ebb7235ec6c87d14d3e
- Size
  
  281KB
- MD5
  
  013258b4005484f42888e377f7412fe0
- SHA1
  
  a48eb0f3adbafb7bb6b3f42c04db797aca60895b
- SHA256
  
  554859fca727ca24661e8a62cd964a673f3df3e8b1746ebb7235ec6c87d14d3e
- SHA512
  
  547f7942d5654dbca1b60bb72be466524c352e79347ece837f39ac1932f747d04c3a808f0ca53b52943b2cb8a93d4698599e9d6d98b20d3b35f0c03915b19dd9
- SSDEEP
  
  6144:EZ8DmM0rMJM19avyU2YGUsPKgUBHHBtTDWN2WC3y:3KMJMup2x5K5Bbl3y
Score

10^/10

gozi_ifsb 1015 banker trojan persistence
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_ifsb1015bankertrojan

behavioral2

gozi_ifsb1015bankerpersistencetrojan