gozi_ifsb | cee13db72b58d980778380b7382a4c3fe976ed2462fd21386e1d11a4e6669463[.]bin

General

Target

cee13db72b58d980778380b7382a4c3fe976ed2462fd21386e1d11a4e6669463.bin
Size

108KB
MD5

52b4480de6f4d4f32fba2b535941c284
SHA1

4f63c0054ee983734ae9bf8f4e9aa0383748de8f
SHA256

cee13db72b58d980778380b7382a4c3fe976ed2462fd21386e1d11a4e6669463
SHA512

48cb6b38aaf71c984acc7f18c89c6787762b2219461d158929f9f9056b604e36dfb5ada3f55867c6f8099fdde3a79c89ae7cbeb6d673908bc9489386587e94b9
SSDEEP

3072:an697qlalkDnoT0N93qznrXjtjEvgWOtlJM0fv62:VqlalkrtcjrXpjag5tj/

Score

10^/10

3184 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3184

C2

qfelicialew.city

mzg4958lc.com

gxuxwnszau.band

Attributes

build
214062
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

cee13db72b58d980778380b7382a4c3fe976ed2462fd21386e1d11a4e6669463.bin
.dll windows x86

cecc6267368cfbfce650c8c332ec214e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

ZwOpenProcessToken
ZwOpenProcess
ZwClose
strcpy
wcstombs
ZwQueryInformationToken
_snprintf
sprintf
mbstowcs
memset
memcpy
_aulldiv
_allmul
RtlUnwind
NtQueryVirtualMemory

kernel32

InterlockedExchange
LocalAlloc
GetTickCount
HeapAlloc
InterlockedIncrement
InterlockedDecrement
HeapFree
HeapDestroy
HeapCreate
SetEvent
WaitForMultipleObjects
SetWaitableTimer
lstrlenW
GetModuleHandleA
OpenFileMappingW
GetLastError
CreateEventA
CloseHandle
WaitForSingleObject
GetCurrentProcessId
CreateWaitableTimerA
SleepEx
lstrcpyA
lstrlenA
MapViewOfFile
GetSystemTimeAsFileTime
lstrcmpW
Sleep
GetComputerNameW
FreeLibrary
LoadLibraryA
RemoveVectoredExceptionHandler
TlsSetValue
TlsFree
TlsAlloc
AddVectoredExceptionHandler
TlsGetValue
LeaveCriticalSection
DeleteCriticalSection
VirtualProtect
InitializeCriticalSection
EnterCriticalSection
lstrcmpA
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
OpenProcess
GetVersion
CompareFileTime
lstrcatA
QueryPerformanceCounter
QueryPerformanceFrequency
GetProcAddress
CreateFileA
FindNextFileA
GetFileTime
FindFirstFileA
FindClose
RaiseException

oleaut32

SysAllocString
SafeArrayDestroy
SafeArrayCreate
SysFreeString

Sections

.text
Size: 36KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 704B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

cecc6267368cfbfce650c8c332ec214e

Headers

File Characteristics

Imports

ntdll

kernel32

oleaut32

Sections

.text Size: 36KB - Virtual size: 34KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 4KB - Virtual size: 704B

.bss Size: 4KB - Virtual size: 2KB

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 36KB - Virtual size: 34KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 4KB - Virtual size: 704B

.bss
Size: 4KB - Virtual size: 2KB

.reloc
Size: 3KB - Virtual size: 4KB