gozi_ifsb | 72d9483b63c2048999b51bd99dcb984818d2f179c2ecb1a739db7a0d9a2c19b8 | Triage

Sharing

General

Target

72d9483b63c2048999b51bd99dcb984818d2f179c2ecb1a739db7a0d9a2c19b8
Size

504KB
Sample

221020-yvpgpscfaj
MD5

9007002f50ec8fc81ae33ab378993420
SHA1

8b635d5c4fab73b265b729bd3d00b270e7ece58d
SHA256

72d9483b63c2048999b51bd99dcb984818d2f179c2ecb1a739db7a0d9a2c19b8
SHA512

3568d3227151581a94987bf4ac4ba29f49ea0d64ebdf15e272978a602fc1476c32725260c98fef9c7f76e6fcfe2c0641b3b4fb533bc0135211941368c425a3f1
SSDEEP

6144:350/1BmP62AWHLW4pmGm8KORHMUGCvtloGvjgxlfNtVONQ:p0DcmSLIGYORH9RvtK80dNtVuQ

Score

10^/10

gozi_ifsb banker bootkit persistence trojan

Malware Config

Targets

- Target
  
  72d9483b63c2048999b51bd99dcb984818d2f179c2ecb1a739db7a0d9a2c19b8
- Size
  
  504KB
- MD5
  
  9007002f50ec8fc81ae33ab378993420
- SHA1
  
  8b635d5c4fab73b265b729bd3d00b270e7ece58d
- SHA256
  
  72d9483b63c2048999b51bd99dcb984818d2f179c2ecb1a739db7a0d9a2c19b8
- SHA512
  
  3568d3227151581a94987bf4ac4ba29f49ea0d64ebdf15e272978a602fc1476c32725260c98fef9c7f76e6fcfe2c0641b3b4fb533bc0135211941368c425a3f1
- SSDEEP
  
  6144:350/1BmP62AWHLW4pmGm8KORHMUGCvtloGvjgxlfNtVONQ:p0DcmSLIGYORH9RvtK80dNtVuQ
Score

10^/10

gozi_ifsb banker bootkit persistence trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Deletes itself
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gozi_ifsbbankerbootkitpersistencetrojan

behavioral2