gozi_ifsb | 4dd36263992917f2d88bc8afd9ba55fa0bd52cef38414a4071eaa713fc765061

General

Target

4dd36263992917f2d88bc8afd9ba55fa0bd52cef38414a4071eaa713fc765061
Size

42KB
MD5

18e1a808cec738eefbe0c9a546be601e
SHA1

e2f2861833c4e8e243fb771f3c1cd2dda62e4db2
SHA256

4dd36263992917f2d88bc8afd9ba55fa0bd52cef38414a4071eaa713fc765061
SHA512

f894c92d50dc4fa61127c23409854940e5639dcaeb5bba117d724f1a1e8f441376e7bb12adc828f38db5e7acf2c13195c803b30d214e7bcc367b0f9c9ebdea7b
SSDEEP

768:wQPdUjN9AXEvncmDx/u8nCOzWej+iS61De+cOgW1FO0PU8g6J3o/lcWjIYE/b0D:wQP+XA+1/uUCOzWeC3mi+cOgeFO0Yy4

Score

10^/10

8899 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

8899

C2

msn.com/login

vloderuniok.website

gloderuniok.website

Attributes

base_path
/jkloio/
build
260212
dga_season
10
exe_type
loader
extension
.lko
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

4dd36263992917f2d88bc8afd9ba55fa0bd52cef38414a4071eaa713fc765061
.dll regsvr32 windows x86

7810ad7e9f1684556ca41a69627e4ce9

Code Sign

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

_snwprintf
memset
memcpy
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

kernel32

SetThreadAffinityMask
CloseHandle
HeapAlloc
SetThreadPriority
Sleep
ExitThread
lstrlenW
GetLastError
GetExitCodeThread
HeapCreate
HeapDestroy
GetCurrentThread
SleepEx
WaitForSingleObject
InterlockedDecrement
InterlockedIncrement
HeapFree
GetModuleFileNameW
SetLastError
GetModuleHandleA
VirtualProtect
OpenProcess
CreateEventA
GetLongPathNameW
GetVersion
GetCurrentProcessId
TerminateThread
QueueUserAPC
CreateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 604B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

7810ad7e9f1684556ca41a69627e4ce9

Code Sign

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 604B

.bss Size: 1024B - Virtual size: 732B

.reloc Size: 33KB - Virtual size: 36KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 604B

.bss
Size: 1024B - Virtual size: 732B

.reloc
Size: 33KB - Virtual size: 36KB