gozi_ifsb | 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked_dropper

Sharing

Copy URL

Twitter E-mail

General

Target

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked_dropper
Size

199KB
MD5

f8d484648035f9c039b3efe82ac0e5f3
SHA1

d0ed7541bbb49b09aec37445a4663b9cfd597524
SHA256

c35d54d4caeafeebf3f713f8e21129ef461efb70a36292b5ad688e951cd4d950
SHA512

82980268a42ad87a73d00b9627c8021c0df6d601293dfc7a0b54efefe60eb31e0d433888a4d6c0d20ca0ce644493d1a3f34a6d7f3c96c70dc2d940de070bd4af
SSDEEP

3072:6gAY5G/N6Mt4krsjo+ILVyqw3mgkg8FwhuLJD4KpXUhp/rAVHv4MUxKenOxoEM7N:6gqtmuLGmgkN9LCKpApTAVH3T+Euqfa

Score

10^/10

1071 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1071

127.0.0.1

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked_dropper
.exe windows x86

e73c16deabfdd221c17ef3bf1d7b1c69

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

ZwClose
NtCreateSection
NtUnmapViewOfSection
memcpy
RtlUnwind
NtMapViewOfSection
mbstowcs
memset
ZwQueryInformationProcess
NtQuerySystemInformation
ZwOpenProcess
ZwOpenProcessToken
ZwQueryInformationToken
RtlNtStatusToDosError
RtlUpcaseUnicodeString
RtlFreeUnicodeString
NtQueryVirtualMemory

shlwapi

StrTrimW
PathFindExtensionW
StrRChrA
StrChrW
PathFindFileNameW
PathFindExtensionA
PathCombineW
StrChrA

kernel32

GetFileTime
CreateFileA
CompareFileTime
WriteFile
CreateProcessA
ResetEvent
HeapFree
CloseHandle
DeleteFileW
CreateFileW
CreateDirectoryW
CreateWaitableTimerA
lstrcatA
FindClose
lstrcpyW
SetFileAttributesW
Sleep
lstrlenW
lstrcpyA
SetEndOfFile
CreateEventA
FlushFileBuffers
FindNextFileA
FindFirstFileA
lstrcmpiW
GetLastError
HeapAlloc
GetTickCount
SetWaitableTimer
GetProcAddress
lstrcatW
lstrcmpA
ExpandEnvironmentStringsA
HeapCreate
HeapDestroy
LocalAlloc
LocalFree
GetCurrentProcessId
OutputDebugStringA
GetCommandLineW
ExitProcess
GetModuleHandleA
WaitForSingleObject
GetSystemTimeAsFileTime
SetEvent
lstrlenA
lstrcpynA
GetVersion
GetLongPathNameW
VirtualFree
VirtualAlloc
lstrcmpiA
SetLastError
GetModuleFileNameA
GetModuleFileNameW
SetFilePointer
GetFileSize
GetTempFileNameA
ResumeThread
VirtualProtectEx
SuspendThread
CreateDirectoryA
ExpandEnvironmentStringsW
GetTempPathA
CreateRemoteThread
OpenProcess
ReadFile

user32

wsprintfW
wsprintfA
FindWindowA
GetCursorInfo

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA
RegDeleteValueW
RegEnumKeyExA
RegOpenKeyW
RegCreateKeyA
GetTokenInformation
RegOpenKeyExA
RegQueryValueExW
RegSetValueExW
GetSidSubAuthorityCount
GetSidSubAuthority
RegCloseKey
RegQueryValueExA
OpenProcessToken
RegSetValueExA
RegOpenKeyA

shell32

ShellExecuteExW
ShellExecuteW
ord92

ole32

CoInitializeEx
CoUninitialize

Sections

.text
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 171KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

e73c16deabfdd221c17ef3bf1d7b1c69

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 18KB - Virtual size: 18KB

.rdata Size: 6KB - Virtual size: 5KB

.data Size: 1024B - Virtual size: 1KB

.bss Size: 1KB - Virtual size: 1KB

.rsrc Size: 171KB - Virtual size: 172KB

.text
Size: 18KB - Virtual size: 18KB

.rdata
Size: 6KB - Virtual size: 5KB

.data
Size: 1024B - Virtual size: 1KB

.bss
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 171KB - Virtual size: 172KB