gozi_ifsb | 934d35b702d4339f22b374ff4b7ea79daaa8546b7551e3b3bd8493bd8e084515 | Triage

Sharing

General

Target

1479.iso
Size

418KB
Sample

221019-mrbkwsfhal
MD5

ff37f409929b6062f3b30dcdd0434d87
SHA1

0a8fc70f3b1fcff8151e9bc2caba073006a6dbce
SHA256

934d35b702d4339f22b374ff4b7ea79daaa8546b7551e3b3bd8493bd8e084515
SHA512

1d3f8a585c4d6b12eb1917975c33352cebde407311be3bffaf3b78a490995c8a169c0624f0939bdbbee1ad5cd337767a855ac2f6e9edf7f3de50c0a3283370bc
SSDEEP

12288:+owbj26rj+uNbMYzwhwZwcwvOqHYHHDOcYw9wi5eOlGHHHHuOUw:+oQjS6zwhwZwcwXHYHHmw9wqdGHHHHMw

Score

10^/10

gozi_ifsb 5000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5000

C2

config.edge.skype.com

onlinetwork.top

linetwork.top

Attributes

base_path
/drew/
build
250246
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  1479.lnk
- Size
  
  1KB
- MD5
  
  3a7fe4683c4e75860cda2f9cfe8286e7
- SHA1
  
  c61988e9a7270572d66305a1ae117ad88e321276
- SHA256
  
  95d75f9f60c28efec7ec43966a0379063aa9c7ca5351f23c77dc3e67050f559a
- SHA512
  
  b144c4ce2285f19e3ae7df886cee5a0d3c596c58e035b7f6d258aa0c4d223c9c02ea436326c791c9048519049c68c4f7e6e9bd1df10e997c4896c68f7ce1b4c0
Score

10^/10

gozi_ifsb 5000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  internee/boutiques.3ds
- Size
  
  116KB
- MD5
  
  5e349e9ca45164561cc820c8e76d954f
- SHA1
  
  c4f8099027a8a0b26455d4fbc005eff217f3a42c
- SHA256
  
  d49394ac9e0a118afe5115a2206d5f815dbc0816f7507a860a297c941f88ebfa
- SHA512
  
  7ee7f456c8e83eedb482800a5cb00c1d5624071c6aacf0e5b14c8656cac9f74b3faee7342bdf89a72e335ca5b4d090d2140a44cef5f29ee20f8b558b12b34548
- SSDEEP
  
  3072:u14Nm3YTyepi7bLYB0s7+Ec7V6bW2nnW6rifrQc1+lUmT:mvgwYB0v72n6rQA+b
Score

10^/10

gozi_ifsb 5000 banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
behavioral3 behavioral4
- Target
  
  internee/champ.cmd
- Size
  
  381B
- MD5
  
  74007b3865242517747902e9ff36a21b
- SHA1
  
  e4df5ec1e51459e74b175e02639190aebc3b1b72
- SHA256
  
  98f7f620659ea608a3753f036bd64d64a41661374b7b10fc42e276af0d91af59
- SHA512
  
  815931ba440fa2a0a8be6a9f83617e9d2189771c1421b51264dfafd6f0b713d024176285905c209ad68d5ec51a32483d307598faa20b8fc9a0fa3f9e31cc2e9b
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_ifsb5000bankertrojan

behavioral2

gozi_ifsb5000bankertrojan

behavioral3

gozi_ifsb5000bankertrojan

behavioral4

gozi_ifsb5000bankertrojan

behavioral5

behavioral6