gozi_ifsb | gozi[.]payload-disk

General

Target

gozi.payload-disk
Size

43KB
MD5

f980487d628f311f509054b16b2dcd27
SHA1

fe58d66a5e7eff0f88d9d5864d24aae03ed7d37e
SHA256

0655775eb61d545ea797d4ff332f78c551f992784f6139132f3f1339093e2e4f
SHA512

3ceb4f8c882211b7d0499efead6828dd5331a2830500478cdbf3bd23b91a1b61b95f2f89ef98558fd5abd3fab6346eb39aa1e8179ae03dd6641c17c6925d65ab
SSDEEP

768:xlYhzJ2VQEFfLCUeQCuu6Mf39Y+RMRZOz4yM7gp/6lvVp:xlYhzJ2VQEFf/2VYuAZOzNM7uyH

Score

10^/10

10101 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10101

C2

trackingg-protectioon.cdn1.mozilla.net

185.240.103.79

weiqeqwns.com

wdeiqeqwns.com

weiqeqwens.com

weiqewqwns.com

Attributes

base_path
/uploaded/
build
250240
exe_type
loader
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

gozi.payload-disk
.dll windows x86

ef075d26b728b78a932306e24062e80c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

ZwQueryInformationToken
ZwOpenProcess
ZwClose
ZwOpenProcessToken
_snwprintf
memcpy
strcpy
sprintf
mbstowcs
_snprintf
wcstombs
memset
_aulldiv
_allmul
_aullrem
RtlUnwind
NtQueryVirtualMemory

kernel32

RaiseException
LocalAlloc
HeapAlloc
InterlockedIncrement
InterlockedDecrement
HeapFree
SetEvent
GetTickCount
GetSystemTimeAsFileTime
Sleep
HeapDestroy
HeapCreate
SwitchToThread
lstrlenA
SetWaitableTimer
Process32First
WaitForSingleObject
SleepEx
CreateEventA
lstrlenW
GetLastError
GetProcAddress
Process32Next
WaitForMultipleObjects
GetModuleHandleA
CreateToolhelp32Snapshot
CloseHandle
CreateWaitableTimerA
lstrcpyA
ResetEvent
lstrcmpW
GetVersionExA
LoadLibraryA
FreeLibrary
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
lstrcmpA
CreateFileMappingW
MapViewOfFile
InterlockedExchange
ExpandEnvironmentStringsW
ExpandEnvironmentStringsA
QueryPerformanceFrequency
OpenProcess
GetVersion
GetCurrentProcessId
lstrcatA
QueryPerformanceCounter
GetComputerNameW
WideCharToMultiByte
GetComputerNameExA

oleaut32

SysAllocString
SafeArrayDestroy
SafeArrayCreate
SysFreeString

Sections

.text
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

ef075d26b728b78a932306e24062e80c

Headers

File Characteristics

Imports

ntdll

kernel32

oleaut32

Sections

.text Size: 30KB - Virtual size: 29KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 1000B

.bss Size: 4KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 30KB - Virtual size: 29KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 1000B

.bss
Size: 4KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 4KB