gozi_ifsb | 11c7df54e3ee750d18a5aee565d8609594e4a30b16669df135057b8f28692680 | Triage

Submit
Reports

Overview

overview

Static

static

11c7df54e3...80.exe

windows7-x64

11c7df54e3...80.exe

windows10-2004-x64

Sharing

General

Target

11c7df54e3ee750d18a5aee565d8609594e4a30b16669df135057b8f28692680
Size

308KB
Sample

221019-3jn41sdcap
MD5

90cf795b14a75a1a28e7abf49a0a9af0
SHA1

93190d75a679cff026b04902c09cf31ca4082036
SHA256

11c7df54e3ee750d18a5aee565d8609594e4a30b16669df135057b8f28692680
SHA512

235ca280a50b28d83a70694d55ec079de215ca73008fe18a9800ed107257f2ac102b754b1ce2443e82eb0ad304eef91e2fe37ac4726a6f871cb586443cd5b830
SSDEEP

6144:dw3kK9f9dbbmQyyTaBrlf0M+MEMcZCCKPCOBmcm8LCLI772y:S3kK9FdbNTaBpfpEMcZqCOB1DS

Score

10^/10

gozi_ifsb 1020 banker persistence ransomware trojan

Static task

static1

Behavioral task

behavioral1

Sample

11c7df54e3ee750d18a5aee565d8609594e4a30b16669df135057b8f28692680.exe

Resource

win7-20220901-en

gozi_ifsb 1020 banker persistence ransomware trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

11c7df54e3ee750d18a5aee565d8609594e4a30b16669df135057b8f28692680.exe

Resource

win10v2004-20220812-en

gozi_ifsb 1020 banker persistence ransomware trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1020

C2

sys.charityautoaz.com/geodata/version/ip2ext

lan.fbbcwoodwardpark.com/geodata/version/ip2ext

sys.fmacconsulting.com/geodata/version/ip2ext

supportsstats.net/geodata/version/ip2ext

Attributes

build
212578
exe_type
worker
server_id
30

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  11c7df54e3ee750d18a5aee565d8609594e4a30b16669df135057b8f28692680
- Size
  
  308KB
- MD5
  
  90cf795b14a75a1a28e7abf49a0a9af0
- SHA1
  
  93190d75a679cff026b04902c09cf31ca4082036
- SHA256
  
  11c7df54e3ee750d18a5aee565d8609594e4a30b16669df135057b8f28692680
- SHA512
  
  235ca280a50b28d83a70694d55ec079de215ca73008fe18a9800ed107257f2ac102b754b1ce2443e82eb0ad304eef91e2fe37ac4726a6f871cb586443cd5b830
- SSDEEP
  
  6144:dw3kK9f9dbbmQyyTaBrlf0M+MEMcZCCKPCOBmcm8LCLI772y:S3kK9FdbNTaBpfpEMcZqCOB1DS
Score

10^/10

gozi_ifsb 1020 banker persistence ransomware trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

Tasks

static1

behavioral1

gozi_ifsb1020bankerpersistenceransomwaretrojan

behavioral2

gozi_ifsb1020bankerpersistenceransomwaretrojan

© 2018-2024

Terms | Privacy