gozi_rm3 | 87058836bd1c2c7a428ae4a3b4729035dab25795fe4da55b3f5793cc115c611a

Sharing

Copy URL

Twitter E-mail

General

Target

87058836bd1c2c7a428ae4a3b4729035dab25795fe4da55b3f5793cc115c611a
Size

68KB
MD5

42aaa953a06706c56f64cb9f6d270677
SHA1

c27147895cc156862e5bf4d29e434f2fffc28a81
SHA256

87058836bd1c2c7a428ae4a3b4729035dab25795fe4da55b3f5793cc115c611a
SHA512

a52e9b8718c7abc574a982b75c3ca7a7f6a5aac438ab0de8694060f72ca42b8c639b359d6d3ddb1b40d0a65066b1368f9514bcf35423f593a23bcf706865f6e9
SSDEEP

1536:yqRghPXChDUnQc1MrLWsWHgTnRRabR39Y04rS:y1hPyhDUnnMrDL+bJ9YTS

Score

10^/10

gozi_rm3

Malware Config

Extracted

Family

gozi_rm3

rsa_pubkey.plain

Signatures

Gozi_rm3 family
gozi_rm3

Files

87058836bd1c2c7a428ae4a3b4729035dab25795fe4da55b3f5793cc115c611a
.dll windows x86

39e34f289e8fd511f04654a06543337f

Code Sign

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_NET_RUN_FROM_SWAP

Imports

ntdll

NtCreateKey
NtDeleteValueKey
NtSetValueKey
NtQueryValueKey
NtOpenKey
memmove
memcmp
mbstowcs
_strupr
RtlImageNtHeader
wcstombs
NtQueryInformationToken
NtOpenProcessToken
NtProtectVirtualMemory
NtAllocateVirtualMemory
_wcsupr
NtQueryVirtualMemory
NtOpenFile
NtSetInformationProcess
memset
NtMapViewOfSection
NtOpenSection
NtQueryInformationProcess
strrchr
RtlInitUnicodeString
RtlNtStatusToDosError
_snwprintf
LdrFindEntryForAddress
strchr
wcsrchr
NtClose
NtUnmapViewOfSection
memcpy
_aulldiv
_allmul
RtlUnwind

kernel32

CreateProcessA
GetModuleHandleA
lstrlenW
TlsSetValue
TlsGetValue
GetProcessId
CreateProcessW
lstrcatW
GetLastError
OpenEventW
SetLastError
Sleep
EnterCriticalSection
CloseHandle
HeapDestroy
lstrcpyW
ResetEvent
LeaveCriticalSection
HeapCreate
WaitForSingleObject
SetEvent
AddVectoredExceptionHandler
RemoveVectoredExceptionHandler
CreateEventW
CreateMutexW
ExitThread
GetProcAddress
SleepEx
lstrcpyA
lstrcmpA
lstrlenA
InitializeCriticalSection
VirtualFree
GetCurrentThreadId
GetModuleHandleExW
ReadFile
CancelIo
GetOverlappedResult
WaitNamedPipeW
WriteFile
CreateEventA
GetModuleFileNameW
LoadLibraryA
GetSystemTimeAsFileTime
SetThreadContext
GetThreadContext
CreateThread
ProcessIdToSessionId
GetCurrentProcessId
WaitForMultipleObjects
SetFilePointer
ResumeThread
CheckRemoteDebuggerPresent
TlsAlloc
OpenProcess
HeapFree
HeapAlloc
HeapReAlloc
lstrcmpiA

Sections

.text
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

39e34f289e8fd511f04654a06543337f

Code Sign

Headers

File Characteristics

Imports

ntdll

kernel32

Sections

.text Size: 45KB - Virtual size: 44KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 1KB - Virtual size: 1KB

.bss Size: 1024B - Virtual size: 1008B

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 45KB - Virtual size: 44KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 1KB - Virtual size: 1KB

.bss
Size: 1024B - Virtual size: 1008B

.reloc
Size: 3KB - Virtual size: 4KB