Overview

overview

10

Static

static

5353.lnk

windows7-x64

10

5353.lnk

windows10-2004-x64

10

internee/h...ed.cmd

windows7-x64

1

internee/h...ed.cmd

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5353.iso

  • Size

    418KB

  • Sample

    221020-pl6vysddep

  • MD5

    14cb7db8dbd6760facc522bee181071f

  • SHA1

    edc0f186ee5dfb5b05d8d57d283cc49f688a6afc

  • SHA256

    4fc5fe464bee34e45e7d88c634a122164f0f2b3a78ae46a8d540eee17cf13647

  • SHA512

    baeaebc0cc1680f76ea525b1cfe61f78be217cb8541553173acdb39cba1332ef437303f9b76c9f9f3f91306f9bf735f04b9e966af3a911516f2bffa84b460de9

  • SSDEEP

    12288:wNbMYzwhwZwcwvOqHYHHDOcYw9wi5eOlGHHHHuOUwLmwbj26rj+:QzwhwZwcwXHYHHmw9wqdGHHHHMwLmQjS

Score
10/10
gozi_ifsb5000bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5000

C2

config.edge.skype.com

onlinetwork.top

linetwork.top
Attributes
  • base_path

    /drew/

  • build

    250246

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      5353.lnk

    • Size

      1KB

    • MD5

      ab707348e10bb475ae3da7dbc3a3e791

    • SHA1

      d201d835c1b487addfecadccf51b09c5eac35a6c

    • SHA256

      3217a3d5115cd2aefb82497017ed391c9400be479e56b9a6aa0e40f66da8cdcb

    • SHA512

      6c9ebbb710dcbeee24432fa5f1d56c5c2473ebbc71b220780eaae825d7d3f434ad1b6d4a46ce6dafe5687155fcbf86b932852ce0f7711db85bb07128271c666a

    Score
    10/10
    gozi_ifsb5000bankertrojan

    • Gozi, Gozi IFSB

      Gozi ISFB is a well-known and widely distributed banking trojan.

      bankertrojangozi_ifsb

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      internee/highlighted.cmd

    • Size

      378B

    • MD5

      5ba9ba2fdc982323061d2fa8977b73e2

    • SHA1

      11eb965374b01c766fcb59fa1afc4ad0e9bd507d

    • SHA256

      9b1f31bdc9ae8596f6cbf32f213857d74aa0801caf8bcf2f3b23ac9efb0d8f29

    • SHA512

      9d2f56c09a3421edbe20f5a8e644557bc37a30caa0b7b1c320043d245a5147fc9dd933a662cd6969fee73fe70ae51878a0809fe4cbaa812f5fe7912eb48c1cad

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks