Behavioral task
behavioral1
Sample
21a03d9c845e446cb96eba7c93aa6403b8a9aaa744801e77468bf73c0507d028.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
21a03d9c845e446cb96eba7c93aa6403b8a9aaa744801e77468bf73c0507d028.dll
Resource
win10v2004-en-20220112
General
-
Target
21a03d9c845e446cb96eba7c93aa6403b8a9aaa744801e77468bf73c0507d028
-
Size
53KB
-
MD5
8fef088246f4bb2e5ce12600799ddd12
-
SHA1
9dc3e57e33f7cbc4b0ca75b071d7bfadab509f1f
-
SHA256
21a03d9c845e446cb96eba7c93aa6403b8a9aaa744801e77468bf73c0507d028
-
SHA512
d591f169ffdb45f4c4da095a90038fb35bc0ac777c086ae284b851c69d5d6acf02ef9ea15600cb39ef7f9458458fdab2517d2144d9db3f2638a6a03450e591d5
-
SSDEEP
1536:eZqlalXIyRM4g2WRw9K+xVbkvlS0Qc1qhhmakOnDpupm88eD0:yqlalVRTQ+x5KE0nAhm6Dpupmv
Malware Config
Extracted
gozi_ifsb
1500
gaw.explik.at/webstore
low.explik.at/webstore
-
build
250152
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
550
Signatures
-
Gozi_ifsb family
Files
-
21a03d9c845e446cb96eba7c93aa6403b8a9aaa744801e77468bf73c0507d028.dll windows x86
b6b42f6f4fde10310f61bbd5d36007a7
Code Sign
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
_snprintf
sprintf
strcpy
ZwQueryInformationToken
wcstombs
ZwOpenProcessToken
ZwOpenProcess
ZwClose
_snwprintf
mbstowcs
memcpy
memset
_aulldiv
_allmul
RtlUnwind
NtQueryVirtualMemory
kernel32
RaiseException
InterlockedExchange
LocalAlloc
Sleep
InterlockedIncrement
InterlockedDecrement
HeapFree
HeapDestroy
HeapCreate
SetEvent
GetTickCount
HeapAlloc
WaitForSingleObject
WaitForMultipleObjects
CreateEventA
GetLastError
GetProcAddress
GetModuleHandleA
SleepEx
lstrlenA
CloseHandle
GetSystemTimeAsFileTime
CreateWaitableTimerA
SetWaitableTimer
lstrcpyA
lstrlenW
CreateFileMappingW
MapViewOfFile
ExpandEnvironmentStringsW
ExpandEnvironmentStringsA
lstrcmpW
GetVersionExA
GetComputerNameW
FreeLibrary
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
EnterCriticalSection
CompareFileTime
FindClose
FindFirstFileA
GetFileTime
FindNextFileA
IsWow64Process
lstrcmpA
CreateFileA
OpenProcess
GetVersion
GetCurrentProcessId
lstrcatA
QueryPerformanceFrequency
QueryPerformanceCounter
Wow64EnableWow64FsRedirection
oleaut32
SysAllocString
SafeArrayDestroy
SafeArrayCreate
SysFreeString
winhttp
WinHttpSetOption
WinHttpOpenRequest
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpConnect
WinHttpReadData
WinHttpQueryOption
WinHttpOpen
WinHttpCloseHandle
Sections
.text Size: 41KB - Virtual size: 40KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 756B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 3KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ