gozi_ifsb | f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195 | Triage

Submit
Reports

Overview

overview

Static

static

f1c6a47ac9...95.exe

windows7-x64

f1c6a47ac9...95.exe

windows10-2004-x64

Sharing

General

Target

f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195
Size

244KB
Sample

221012-25f5vsgef8
MD5

796f5aaf5dbdbcff4a04358e45f28920
SHA1

4695faa6d9c02fdb02cd91629e8b3eca2f14fa56
SHA256

f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195
SHA512

f6770a548c83aa950408490e45d3289e1d22d5eca567e4e637b135fb7085f78fe26663d7c4fdc7df83575030a1c1015d51b0980d9550509ebf33335c6fee7815
SSDEEP

6144:hKxMcnHkSbJCtBvwYkbvzXRrhWeW835EkbroAx:+HZYBo3h3fh

Score

10^/10

gozi_ifsb 3 banker persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe

Resource

win7-20220812-en

gozi_ifsb 3 banker persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe

Resource

win10v2004-20220812-en

gozi_ifsb 3 banker persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3

C2

rootapi.su

root-api.su

rootapigoogle.su

rootapi-google.su

root-apigoogle.su

rootgoogle.su

root-google.su

rootgoogleapi.su

rootgoogle-api.su

root-googleapi.su

91.226.212.148

Attributes

exe_type
worker

rsa_pubkey.plain

Targets

- Target
  
  f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195
- Size
  
  244KB
- MD5
  
  796f5aaf5dbdbcff4a04358e45f28920
- SHA1
  
  4695faa6d9c02fdb02cd91629e8b3eca2f14fa56
- SHA256
  
  f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195
- SHA512
  
  f6770a548c83aa950408490e45d3289e1d22d5eca567e4e637b135fb7085f78fe26663d7c4fdc7df83575030a1c1015d51b0980d9550509ebf33335c6fee7815
- SSDEEP
  
  6144:hKxMcnHkSbJCtBvwYkbvzXRrhWeW835EkbroAx:+HZYBo3h3fh
Score

10^/10

gozi_ifsb 3 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb3bankerpersistencetrojan

behavioral2

gozi_ifsb3bankerpersistencetrojan

© 2018-2024

Terms | Privacy