gozi_ifsb | c486d8579308999b7d9f8cbb6de33b7a3976b9db5b98c06b7744adf5d5d11caf

Sharing

Copy URL

Twitter E-mail

General

Target

c486d8579308999b7d9f8cbb6de33b7a3976b9db5b98c06b7744adf5d5d11caf
Size

196KB
MD5

c9bd16862ae56ec22ca70e30af4a4c8d
SHA1

fa373e7657225b3bf681cbba1021a85b238c127e
SHA256

c486d8579308999b7d9f8cbb6de33b7a3976b9db5b98c06b7744adf5d5d11caf
SHA512

4467af98ff380fd03abc70270bedd29f1857b78f44e0ac6cb387c745b5e122eb8ed7ef33d5b28f4be4761857047768696a0f97150ef8407dc88484274f92f00a
SSDEEP

6144:ZyrhJimqlal587TQeE1j7iknp3uCBA1VPM6C84JZ9v8/AXZS:ZoJzqglK7TZE1j7Zp+Cq1VPMc4rv8/

Score

10^/10

1500 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

api10.v8engine.at/webstore

b.in100k.at/webstore

vo5vuw5tdkqetax4.onion/webstore

api12.apgolop.at/webstore

extra.avareg.cn/webstore

d6djf2vtjv5kowow.onion/webstore

foo.up100n.at/webstore

h22.feel500.at/webstore

zq4aggr2i6hmklgd.onion/webstore

free.up100n.at/webstore

b52.mo100.at/webstore

api10.apgolop.at/webstore

Attributes

build
250152
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
worker
server_id
550

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

c486d8579308999b7d9f8cbb6de33b7a3976b9db5b98c06b7744adf5d5d11caf
.dll windows x86

af61b1f5a22d930fb70c58ff31e34414

Code Sign

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

NtSetInformationProcess
_snwprintf
ZwQueryInformationToken
ZwOpenProcessToken
ZwOpenProcess
ZwClose
strcpy
RtlNtStatusToDosError
NtQuerySystemInformation
ZwQueryInformationProcess
RtlImageNtHeader
_wcsupr
memmove
wcscpy
_snprintf
mbstowcs
RtlUpcaseUnicodeString
_strupr
ZwQueryKey
RtlFreeUnicodeString
wcstombs
memset
RtlAdjustPrivilege
memcpy
NtQueryInformationThread
sprintf
_aulldiv
_allmul
_chkstk
RtlUnwind
NtQueryVirtualMemory

kernel32

GetVersionExA
VirtualProtectEx
CreateFileMappingW
GetModuleFileNameW
GetModuleFileNameA
ExpandEnvironmentStringsA
GetFileTime
FindNextFileA
CompareFileTime
FindFirstFileA
IsWow64Process
GetLocalTime
Wow64EnableWow64FsRedirection
QueryPerformanceCounter
QueryPerformanceFrequency
HeapFree
WaitForSingleObject
ExitThread
GetLastError
CloseHandle
DeleteFileW
ResetEvent
HeapAlloc
CreateFileA
lstrcatA
WriteFile
lstrlenA
CreateDirectoryA
RemoveDirectoryA
DeleteFileA
lstrcpyA
LoadLibraryA
SetEvent
GetModuleHandleA
HeapReAlloc
GetSystemTimeAsFileTime
InterlockedIncrement
InterlockedDecrement
HeapDestroy
HeapCreate
DuplicateHandle
InitializeCriticalSection
InterlockedExchange
OpenProcess
ExitProcess
TerminateProcess
SetWaitableTimer
GetTempPathA
CreateFileW
GetTickCount
EnterCriticalSection
SuspendThread
ResumeThread
Sleep
GetCurrentThread
lstrcpyW
CopyFileW
lstrcmpiW
SwitchToThread
GetWindowsDirectoryA
CreateEventA
lstrcatW
lstrcmpA
lstrlenW
GetCommandLineA
CreateDirectoryW
LeaveCriticalSection
GetCurrentThreadId
WaitForMultipleObjects
SetLastError
lstrcmpiA
CreateMutexA
OpenWaitableTimerA
OpenMutexA
ReleaseMutex
MapViewOfFile
UnmapViewOfFile
CreateWaitableTimerA
UnregisterWait
TlsAlloc
RegisterWaitForSingleObject
TlsGetValue
TlsSetValue
LoadLibraryExW
VirtualAlloc
VirtualProtect
OpenEventA
RemoveVectoredExceptionHandler
VirtualFree
AddVectoredExceptionHandler
VirtualQuery
GetProcAddress
CreateFileMappingA
CreateProcessA
GetFileSize
GetDriveTypeW
WideCharToMultiByte
OpenFileMappingA
LocalFree
GetLogicalDriveStringsW
GetExitCodeProcess
lstrcpynA
Thread32Next
CreateToolhelp32Snapshot
QueueUserAPC
Thread32First
OpenThread
CreateNamedPipeA
CallNamedPipeA
WaitNamedPipeA
ReadFile
CancelIo
ConnectNamedPipe
GetOverlappedResult
DisconnectNamedPipe
GetSystemTime
FlushFileBuffers
SleepEx
LocalAlloc
FreeLibrary
RaiseException
DeleteCriticalSection
CreateThread
TerminateThread
RemoveDirectoryW
GetTempFileNameA
SetEndOfFile
ExpandEnvironmentStringsW
SetFilePointer
GetCurrentProcessId
GetVersion
FindNextFileW
FindClose
GetFileAttributesW
SetFilePointerEx
FindFirstFileW
GetComputerNameW

Sections

.text
Size: 153KB - Virtual size: 153KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

af61b1f5a22d930fb70c58ff31e34414

Code Sign

Headers

File Characteristics

Imports

ntdll

kernel32

Sections

.text Size: 153KB - Virtual size: 153KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 4KB - Virtual size: 4KB

.bss Size: 8KB - Virtual size: 7KB

.reloc Size: 12KB - Virtual size: 12KB

.text
Size: 153KB - Virtual size: 153KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 4KB - Virtual size: 4KB

.bss
Size: 8KB - Virtual size: 7KB

.reloc
Size: 12KB - Virtual size: 12KB