gozi_ifsb | 7da58be3aca05b82aa53698767c26840a09db56ad8de584a702ab640f8ee39e5 | Triage

Submit
Reports

Overview

overview

Static

static

7da58be3ac...e5.exe

windows7-x64

7da58be3ac...e5.exe

windows10-2004-x64

Sharing

General

Target

7da58be3aca05b82aa53698767c26840a09db56ad8de584a702ab640f8ee39e5
Size

444KB
Sample

221019-2dqvzsbbf3
MD5

821d6fee9e229e7481e533e89f16aa50
SHA1

c8be2a9fe9548527ca0caee94598630bf9e861e7
SHA256

7da58be3aca05b82aa53698767c26840a09db56ad8de584a702ab640f8ee39e5
SHA512

659e05514d26f5a105f1872f4acbe3334d7065f1a4b3278da401dbd079ee4cb7ee8602508efefa718bd801e0db08b052f19af6bba18027ceb1c48c5ee0e32e8b
SSDEEP

12288:qBlWJRQJ/D+iJIicarPZM6YZbDYDKCIrBBz6Ff0:qBQRQJ/ilAd3YYBIl1n

Score

10^/10

gozi_ifsb 2000 banker persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

7da58be3aca05b82aa53698767c26840a09db56ad8de584a702ab640f8ee39e5.exe

Resource

win7-20220812-en

gozi_ifsb 2000 banker persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

7da58be3aca05b82aa53698767c26840a09db56ad8de584a702ab640f8ee39e5.exe

Resource

win10v2004-20220812-en

gozi_ifsb 2000 banker persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2000

C2

newlinecinema130.ru

freechat15.ru

messenger9.ru

weatherwidget.ru

trafficzone.ru

adsanalytics.ru

adsbanner.ru

okallright.ru

Attributes

build
212453
exe_type
worker
server_id
93

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  7da58be3aca05b82aa53698767c26840a09db56ad8de584a702ab640f8ee39e5
- Size
  
  444KB
- MD5
  
  821d6fee9e229e7481e533e89f16aa50
- SHA1
  
  c8be2a9fe9548527ca0caee94598630bf9e861e7
- SHA256
  
  7da58be3aca05b82aa53698767c26840a09db56ad8de584a702ab640f8ee39e5
- SHA512
  
  659e05514d26f5a105f1872f4acbe3334d7065f1a4b3278da401dbd079ee4cb7ee8602508efefa718bd801e0db08b052f19af6bba18027ceb1c48c5ee0e32e8b
- SSDEEP
  
  12288:qBlWJRQJ/D+iJIicarPZM6YZbDYDKCIrBBz6Ff0:qBQRQJ/ilAd3YYBIl1n
Score

10^/10

gozi_ifsb 2000 banker persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsb2000bankerpersistencetrojan

behavioral2

gozi_ifsb2000bankerpersistencetrojan

© 2018-2024

Terms | Privacy