gozi_ifsb | cc89669a3ca75594456e91595e249f02e41a5b66d1f256a2281804c10ea13c23

General

Target

cc89669a3ca75594456e91595e249f02e41a5b66d1f256a2281804c10ea13c23
Size

42KB
MD5

6eb6ef0ed1b8b345412f9545571042e2
SHA1

b9a1945c04610ae72265c5da6ccfe29ca1a4c52e
SHA256

cc89669a3ca75594456e91595e249f02e41a5b66d1f256a2281804c10ea13c23
SHA512

ca8757eac1449bae293b265c4d3aa14d996e3b0838c86fab330714c02d5da4b8cffb00d3ce3b9600db62c39c7e6dbf3dc099ba0f524a8f614330fb45c35ccee3
SSDEEP

768:dsNli1vUaabvWWCZt4cYihj2qkOARTYDGvHEKsAm3L0BBB/GpPkCzn/77s4:d0i1Z5vZtdhn2RTYDskKDVedkCzXs4

Score

10^/10

8877 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8877

C2

outlook.com

xaaorunokee.site

taaorunokee.site

Attributes

base_path
/hreeen/
build
250212
dga_season
10
exe_type
loader
extension
.lof
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

cc89669a3ca75594456e91595e249f02e41a5b66d1f256a2281804c10ea13c23
.dll regsvr32 windows x86

7810ad7e9f1684556ca41a69627e4ce9

Code Sign

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

_snwprintf
memset
memcpy
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

kernel32

SetThreadAffinityMask
CloseHandle
HeapAlloc
SetThreadPriority
Sleep
ExitThread
lstrlenW
GetLastError
GetExitCodeThread
HeapCreate
HeapDestroy
GetCurrentThread
SleepEx
WaitForSingleObject
InterlockedDecrement
InterlockedIncrement
HeapFree
GetModuleFileNameW
SetLastError
GetModuleHandleA
VirtualProtect
OpenProcess
CreateEventA
GetLongPathNameW
GetVersion
GetCurrentProcessId
TerminateThread
QueueUserAPC
CreateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 476B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

7810ad7e9f1684556ca41a69627e4ce9

Code Sign

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 476B

.bss Size: 1024B - Virtual size: 732B

.reloc Size: 33KB - Virtual size: 36KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 476B

.bss
Size: 1024B - Virtual size: 732B

.reloc
Size: 33KB - Virtual size: 36KB