gozi_ifsb | 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80 | Triage

Submit
Reports

Overview

overview

Static

static

95b107fed6...80.exe

windows7-x64

95b107fed6...80.exe

windows10-2004-x64

Sharing

General

Target

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80
Size

330KB
Sample

221013-wthxesgcg3
MD5

6a4b1cfb80bdb519dcd780cf3394de20
SHA1

e14344457221584f5ae03f041eeddcec1c941597
SHA256

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80
SHA512

46acb4dc1311a7e0f016f44b3c8cf1d140b65bd5de57c2566d85f0289a91e10fba9df9493c8a8ad3c838d6b4ff85c1343dcd80b24f52876f3eb2703f3a6d417f
SSDEEP

6144:wikrw8J6L91p9xzyohKhRcIERqcKvl9W695OHIue/Ytijm/:M8iE93jkIIEwc6l9W62Hht

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

Resource

win7-20220812-en

gozi_ifsb 1010 banker persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

Resource

win10v2004-20220812-en

gozi_ifsb 1010 banker persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

siasecuritychecks.com

195.20.141.92

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80
- Size
  
  330KB
- MD5
  
  6a4b1cfb80bdb519dcd780cf3394de20
- SHA1
  
  e14344457221584f5ae03f041eeddcec1c941597
- SHA256
  
  95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80
- SHA512
  
  46acb4dc1311a7e0f016f44b3c8cf1d140b65bd5de57c2566d85f0289a91e10fba9df9493c8a8ad3c838d6b4ff85c1343dcd80b24f52876f3eb2703f3a6d417f
- SSDEEP
  
  6144:wikrw8J6L91p9xzyohKhRcIERqcKvl9W695OHIue/Ytijm/:M8iE93jkIIEwc6l9W62Hht
Score

10^/10

gozi_ifsb 1010 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb1010bankerpersistencetrojan

behavioral2

gozi_ifsb1010bankerpersistencetrojan

© 2018-2024

Terms | Privacy