gozi_ifsb | 0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked_dropper

Sharing

Copy URL

Twitter E-mail

General

Target

0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked_dropper
Size

204KB
MD5

b57b701d59221f3537c11947696f7583
SHA1

085ef56c138c3ed4351ded58647c3af7e5bc89c2
SHA256

0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c
SHA512

d3f030e01d260e464e5219fd1a85da8d30263d4a27de6de0158912a223044311507204b8bd3af1628456371e66e8dfeeaa41e8784af9da36a7281acaa468a50a
SSDEEP

3072:qNBSUJxUw38KtevKzF3Hahj9mSiRlegItDj5kE3Wn9QXTblDgEGH+yxbd8CU:aTHUwNASVHamSDd33oQXTbSxGF

Score

10^/10

1001 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1001

prophosthdor.su/geo_src/outer/mapst

xhroompjsapi.com/geo_src/outer/mapst

paratrenkot.su/geo_src/outer/mapst

Attributes

exe_type
worker
server_id
44

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

0a5e359d5f40d0ac9c26e51e73b39b11572cd67ee2719ca855406ad8ed3f270c_unpacked_dropper
.exe windows x86

e90f08a9c31f1062f5b5562aa1fb1c4a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

memcpy
ZwOpenProcessToken
ZwQueryInformationToken
wcstombs
RtlUnwind
ZwClose
NtSetContextThread
RtlNtStatusToDosError
ZwQueryInformationProcess
NtGetContextThread
mbstowcs
NtMapViewOfSection
NtUnmapViewOfSection
NtCreateSection
memset
RtlRandom
ZwOpenProcess
_strupr
NtQueryVirtualMemory

shlwapi

PathFindExtensionA
PathCombineA
StrStrIA
StrRChrA
StrStrA
StrChrA

setupapi

SetupDiEnumDeviceInfo
SetupDiGetClassDevsA
SetupDiGetDeviceRegistryPropertyA
SetupDiDestroyDeviceInfoList

kernel32

CompareFileTime
HeapFree
Process32First
WaitForSingleObject
SetEvent
GetTickCount
GetWindowsDirectoryA
OpenProcess
Sleep
CreateEventA
GetCurrentProcess
TerminateProcess
GetSystemDirectoryA
lstrcatA
FindFirstFileA
GetLastError
lstrcmpiA
CopyFileA
FindClose
ResetEvent
Process32Next
OpenEventA
FindNextFileA
CreateToolhelp32Snapshot
GetFileTime
CreateWaitableTimerA
GetTempPathA
DeleteFileA
lstrcpyA
SetWaitableTimer
HeapAlloc
ResumeThread
lstrlenA
GetModuleHandleA
HeapCreate
HeapDestroy
GetCommandLineA
ExitProcess
CloseHandle
ReadFile
CreateFileA
CreateProcessA
SuspendThread
VirtualProtectEx
GetThreadContext
lstrcmpA
lstrcpynA
ExpandEnvironmentStringsW
GetTempFileNameA
CreateFileW
WriteFile
SetEndOfFile
GetFileSize
GetVersion
lstrlenW
WriteProcessMemory
GetCurrentProcessId
GetModuleFileNameA
VirtualAllocEx
VirtualAlloc
GetProcAddress
LocalFree
SetFilePointer
VirtualFree
CreateRemoteThread
ReadProcessMemory
GetModuleFileNameW

user32

GetShellWindow
wsprintfA
GetWindowThreadProcessId

advapi32

RegCreateKeyA
RegQueryValueExA
RegEnumKeyExA
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorA
FreeSid
SetSecurityInfo
AllocateAndInitializeSid
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
OpenProcessToken
RegCloseKey
GetSecurityInfo
RegOpenKeyExA
RegSetValueExA
SetNamedSecurityInfoA
SetEntriesInAclA
LookupPrivilegeValueA
RegOpenKeyA

shell32

ShellExecuteA
ord92
ShellExecuteExA

ole32

CoUninitialize
CoInitializeEx

Sections

.text
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 168KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

e90f08a9c31f1062f5b5562aa1fb1c4a

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

shlwapi

setupapi

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 20KB - Virtual size: 20KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 4KB - Virtual size: 4KB

.bss Size: 4KB - Virtual size: 4KB

.rsrc Size: 168KB - Virtual size: 168KB

.text
Size: 20KB - Virtual size: 20KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 4KB

.bss
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 168KB - Virtual size: 168KB