gozi_rm3 | 604c2ab0a2b912406141d5fdf587ebe1b88347a32523a82c6fbcaf922ae4ed80

Sharing

Copy URL

Twitter E-mail

General

Target

604c2ab0a2b912406141d5fdf587ebe1b88347a32523a82c6fbcaf922ae4ed80
Size

67KB
MD5

3204a2da3b1729994bdb30ee2ac1c590
SHA1

4b787542f8749d3d3765e1ae34239d5b0f484641
SHA256

604c2ab0a2b912406141d5fdf587ebe1b88347a32523a82c6fbcaf922ae4ed80
SHA512

c81ff393929b522f1bf8fe1a47c554cf3a92cdfe9e54f2a3aeee159e7c8c07453533c67c462fdd0455f13204cbdae306d82b7cd00cbce52090033d36e79bcdd9
SSDEEP

1536:oUAPXe5+29GhOiQc1TOqYruWBrKRcGqNnClv3iJ:9APu05hOinKqYrtr2cGqNnC93iJ

Score

10^/10

201911263 gozi_rm3

Malware Config

Extracted

Family

gozi_rm3

Attributes

exe_type
loader

Extracted

Family

gozi_rm3

Botnet

201911263

https://olasharm.xyz

Attributes

build
300826
dga_season
10
exe_type
loader
server_id
12
url_path
index.html

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_rm3 family
gozi_rm3

Files

604c2ab0a2b912406141d5fdf587ebe1b88347a32523a82c6fbcaf922ae4ed80
.dll windows x86

9beee685392780151afbf8b282632ea7

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegCloseKey
RegEnumKeyExW
RegSetValueExW
RegQueryValueExW
RegOpenKeyW
GetUserNameW
GetSidSubAuthorityCount
OpenProcessToken
GetTokenInformation
GetSidSubAuthority
RegCreateKeyW

dnsapi

DnsQuery_A
DnsFree

kernel32

CreateWaitableTimerA
HeapCreate
lstrlen
CreateEventW
GetSystemTimeAsFileTime
SetWaitableTimer
WaitForMultipleObjects
GetModuleHandleA
lstrcat
ResetEvent
lstrcpy
WaitForSingleObject
CreateEventA
Sleep
GetProcAddress
CreateWaitableTimerW
CloseHandle
lstrlenW
lstrcpyW
GetCommandLineW
GetLastError
CreateMutexW
MultiByteToWideChar
ExpandEnvironmentStringsW
lstrcmpW
QueryPerformanceFrequency
QueryPerformanceCounter
GetComputerNameW
OpenProcess
InitializeCriticalSection
ProcessIdToSessionId
GetCurrentProcessId
lstrcatW
LeaveCriticalSection
LoadLibraryA
EnterCriticalSection
SetEvent
GetModuleFileNameW
HeapFree
HeapAlloc

oleaut32

SafeArrayCreate
SafeArrayDestroy
SysFreeString
SysAllocString

shell32

ShellExecuteW

shlwapi

StrChrW
StrStrW
PathCombineW
StrStrIW
StrStrA
StrStrIA
IUnknown_QueryService
StrTrimA
StrToIntExA
StrChrA

user32

wsprintfW
wsprintfA

winhttp

WinHttpQueryDataAvailable
WinHttpOpen
WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpWriteData
WinHttpReadData
WinHttpConnect
WinHttpCloseHandle
WinHttpQueryOption
WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpQueryHeaders

ws2_32

inet_ntoa
inet_addr

ntdll

sprintf
_snprintf
strchr
strcpy
memmove
NtCreateKey
NtDeleteValueKey
RtlInitUnicodeString
NtSetValueKey
NtQueryInformationToken
NtOpenProcessToken
_wcsupr
NtQueryVirtualMemory
_snwprintf
_allmul
_aulldiv
wcsrchr
NtQueryInformationProcess
NtClose
RtlNtStatusToDosError
wcstombs
memset
mbstowcs
RtlImageNtHeader
wcschr
memcpy
RtlUnwind

ole32

CoUninitialize
CoCreateInstance
CoSetProxyBlanket
CreateStreamOnHGlobal
CoInitializeEx

Sections

Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

9beee685392780151afbf8b282632ea7

Headers

File Characteristics

Imports

advapi32

dnsapi

kernel32

oleaut32

shell32

shlwapi

user32

winhttp

ws2_32

ntdll

ole32

Sections

Size: 44KB - Virtual size: 44KB

Size: 4KB - Virtual size: 4KB

Size: 4KB - Virtual size: 4KB

Size: 4KB - Virtual size: 4KB

Size: 7KB - Virtual size: 7KB