gozi_ifsb | 0d6014f1d2487230c3bb38f31d2742577f84fd2f2e0d97be5fb9cf28b7ab6de9_unpacked_dropper

Sharing

Copy URL

Twitter E-mail

General

Target

0d6014f1d2487230c3bb38f31d2742577f84fd2f2e0d97be5fb9cf28b7ab6de9_unpacked_dropper
Size

82KB
MD5

f2edc07f72b81b98bb10f694d13727ac
SHA1

38bdc31f7a9fafe0ff8a634380008dc6b1607cec
SHA256

fcad6121e5a3620399acc0b34c9ecaf5e70098464455f8e7a0decd7bb038a69c
SHA512

e58163f222e77ffa4cb7269dde011262f6fe9005706307c0c9270d660127571b889c3050901c0a8f040bcfb4666f7b1be78721f134d7c7f16cb2ef24fdf17607
SSDEEP

1536:C3N7xabOVqV+DmSAnfGcNrVaQY++QU1w920mdrixZ2Gj1BSiCJdwSl0J:Um1wDmZnfGcNkF++Z1i5PxZNj1QrdwSl

Score

10^/10

1091 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1091

pop.project-ip.co.uk

Attributes

exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

0d6014f1d2487230c3bb38f31d2742577f84fd2f2e0d97be5fb9cf28b7ab6de9_unpacked_dropper
.exe windows x86

a3f110bf32c2155d5b657cedbd5fb1b3

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

ZwQueryInformationToken
memset
NtQuerySystemInformation
ZwClose
RtlNtStatusToDosError
memcpy
ZwOpenProcessToken
ZwQueryInformationProcess
NtUnmapViewOfSection
NtMapViewOfSection
RtlUpcaseUnicodeString
NtCreateSection
mbstowcs
ZwOpenProcess
RtlFreeUnicodeString
RtlUnwind
_aulldiv
NtQueryVirtualMemory

shlwapi

StrChrA
StrRChrA
StrChrW
StrTrimW

kernel32

ResetEvent
CreateWaitableTimerA
MapViewOfFile
DeleteFileW
UnmapViewOfFile
SetFileAttributesW
CreateFileMappingA
CreateProcessA
SwitchToThread
HeapAlloc
SetWaitableTimer
GetExitCodeProcess
lstrlenA
CloseHandle
GetProcAddress
CreateEventA
SetEvent
GetLastError
lstrcatW
Sleep
lstrlenW
HeapFree
GetCommandLineW
ExitProcess
GetModuleHandleA
HeapCreate
HeapDestroy
WaitForSingleObject
GetSystemTimeAsFileTime
SetLastError
VirtualProtectEx
ResumeThread
SuspendThread
lstrcmpA
LocalFree
ExpandEnvironmentStringsW
GetLongPathNameW
OpenProcess
GetVersion
GetCurrentProcessId
QueryPerformanceFrequency
CreateFileA
VirtualFree
ExpandEnvironmentStringsA
lstrcmpiA
lstrcpyA
VirtualAlloc
SetFilePointer
ReadFile
GetModuleFileNameW
QueryPerformanceCounter
CreateFileW
GetModuleFileNameA
lstrcatA
lstrcpynA
DeviceIoControl
WriteFile
FindNextFileA
SetEndOfFile
GetFileTime
CompareFileTime
FindFirstFileA
FindClose

user32

wsprintfA
FindWindowA

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey
ConvertStringSecurityDescriptorToSecurityDescriptorA

Sections

.text
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 60KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

a3f110bf32c2155d5b657cedbd5fb1b3

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

Sections

.text Size: 15KB - Virtual size: 14KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 1024B - Virtual size: 1KB

.bss Size: 2KB - Virtual size: 1KB

.rsrc Size: 60KB - Virtual size: 64KB

.text
Size: 15KB - Virtual size: 14KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 1024B - Virtual size: 1KB

.bss
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 60KB - Virtual size: 64KB