gozi_ifsb | ursnif_IAT_corrected[.]exe[.]dll

General

Target

ursnif_IAT_corrected.exe.dll
Size

56KB
MD5

8b52c277c63c5877c0e4ca32d1458957
SHA1

1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
SHA256

8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
SHA512

9f7022155d4764e625fe1a6b5377eed4b2e7620a9bd03c7f5474112de30bb60b7898c5e9a325035544d01c3621bff103f6b857373d146c1f622772e1abbf1b99
SSDEEP

768:A2KGmsx3R69vSvjyRpq63goMWPXE2bE/JVMq2LATqeeAeOu2D2wqmLiu6:wGBx3R6iApqlaPGhVMq2LpeReOb2Pmp

Score

10^/10

5000 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5000

C2

config.edge.skype.com

onlinetwork.top

linetwork.top

Attributes

base_path
/drew/
build
250246
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

ursnif_IAT_corrected.exe.dll
.dll regsvr32 windows x86

3e85858f9f91b022a15a56437fb6f7c2

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

_snwprintf
memset
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

kernel32

SetThreadAffinityMask
CloseHandle
GetLocaleInfoA
GetSystemDefaultUILanguage
SetThreadPriority
HeapFree
Sleep
ExitThread
lstrlenW
GetLastError
VerLanguageNameA
GetExitCodeThread
HeapCreate
HeapDestroy
GetCurrentThread
SleepEx
WaitForSingleObject
InterlockedDecrement
InterlockedIncrement
HeapAlloc
GetModuleHandleA
GetModuleFileNameW
SetLastError
VirtualProtect
OpenProcess
CreateEventA
GetLongPathNameW
GetVersion
GetCurrentProcessId
TerminateThread
QueueUserAPC
CreateThread
GetProcAddress
LoadLibraryA
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 604B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 29KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

3e85858f9f91b022a15a56437fb6f7c2

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 5KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 604B

.bss Size: 4KB - Virtual size: 732B

.reloc Size: 29KB - Virtual size: 32KB

.text
Size: 8KB - Virtual size: 5KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 604B

.bss
Size: 4KB - Virtual size: 732B

.reloc
Size: 29KB - Virtual size: 32KB