gozi_ifsb | 25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061

Analysis

max time kernel
432s
max time network
436s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe
Size

676KB
MD5

644c7a78a572d45d8af45d94e6a57e40
SHA1

0b3e29129dc20a87a166ade006bf8f1cbd9b8300
SHA256

25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061
SHA512

7dfbe61d11077a254d13d869b888c22d2e02b82c6ae8d75f04f7683d5eca7aecc8e00de740e094f197ae2f1ebd6319c3c162dc1e1e9c20ec36f7a2bddab3ce33
SSDEEP

12288:Zv75bu3S23LN8wa7yelFRNuQ7TdC1ryYrKTP5uSZPnMll:J75E732wujXbzFZil

Score

10^/10

gozi_ifsb 2002 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2002

test1.ru

Attributes

build
216843
dga_base_url
opensource.apple.com/source/Security/Security-29/SecureTransport/LICENSE.txt?txt
dga_crc
0x6f0b167a
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe

C:\Users\Admin\AppData\Local\Temp\25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe
"C:\Users\Admin\AppData\Local\Temp\25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061.exe"
1⤵
- Checks BIOS information in registry
PID:1256

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1256-55-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1256-56-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download