gozi_ifsb | 9e8b8ce88417468f4e33a710f3a86e471eb1017b296ad23f60e8b0dbccbe1e84

General

Target

9e8b8ce88417468f4e33a710f3a86e471eb1017b296ad23f60e8b0dbccbe1e84
Size

41KB
MD5

84b948969c42b4c90afc366f92036815
SHA1

650a5c26882bf234ec723bac05403f0d49f2f8e0
SHA256

9e8b8ce88417468f4e33a710f3a86e471eb1017b296ad23f60e8b0dbccbe1e84
SHA512

eb25221a99f52bc867dfe1f69477167ff7a7937427d898e1bcf577fe8ce0a13873b6e74d34f082e6ba84da64b6f0681d14378541dbe50a0de3c89cd892665ed3
SSDEEP

768:ME0M1qikm/eKGyel6VSOtdXOXbbCfNRbq9u33d9tw9mCv7bWBoZbX8sI3p:MFM1N/XGA/p6uRO943dLsmCWOZD8sI3

Score

10^/10

6000 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

http://microsoft.com/updates

http://microsoft.com/pure

https://lovemoneylave.com

https://crazyfronfinancial.com

http://lovemoneylave.com

http://crazyfronfinancial.com

Attributes

base_path
/glik/
build
260216
dga_season
10
exe_type
loader
extension
.lwe
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

9e8b8ce88417468f4e33a710f3a86e471eb1017b296ad23f60e8b0dbccbe1e84
.exe windows x86

2dbd49fbf39b8096ad05d805ce72dda4

Code Sign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

_snwprintf
memset
memcpy
NtQuerySystemInformation
_aulldiv

kernel32

GetModuleHandleA
HeapAlloc
HeapFree
HeapCreate
Sleep
ExitThread
lstrlenW
GetLastError
GetExitCodeThread
CloseHandle
HeapDestroy
GetCommandLineW
ExitProcess
WaitForSingleObject
GetModuleFileNameW
CreateThread
QueueUserAPC
SetLastError
TerminateThread
SleepEx
OpenProcess
CreateEventA
GetVersion
GetCurrentProcessId
GetProcAddress
LoadLibraryA
VirtualProtect
VirtualFree
VirtualAlloc
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW
GetLongPathNameW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 404B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

2dbd49fbf39b8096ad05d805ce72dda4

Code Sign

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

advapi32

Sections

.text Size: 4KB - Virtual size: 3KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 404B

.bss Size: 1024B - Virtual size: 732B

.rsrc Size: 512B - Virtual size: 16B

.reloc Size: 32KB - Virtual size: 36KB

.text
Size: 4KB - Virtual size: 3KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 404B

.bss
Size: 1024B - Virtual size: 732B

.rsrc
Size: 512B - Virtual size: 16B

.reloc
Size: 32KB - Virtual size: 36KB