gozi_ifsb | 2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked_x64

Sharing

Copy URL

Twitter E-mail

General

Target

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked_x64
Size

345KB
MD5

63223be31de5e0ea133b2aaf8cd63e9c
SHA1

28aa25ef0ca227656504d074b4107989a3847780
SHA256

908a2b2d385a32d541c795b3fd4b4675502632935fc5b772bb0323798b4a47ad
SHA512

0acd678c11462a397fe7176674229e6ca97481fd767be63e6c5ae5161f5e186dd3ab6fffc8bb6e0510098fc21fe22f0fe745d7207141a15a2644eb6396dfd564
SSDEEP

6144:aImDEdF/rxGtCM0KfJyO9C3GMHxpbdP5Q9RPoqTiB+6k6X7O:aImYdF/rItCMV9C9hARPoqTiB+

Score

10^/10

10008 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

10008

jscallowallowallowjcli.me

disallowjscuserallow.pw

Attributes

build
215801
dga_base_url
z1.zedo.com/robots.txt
dga_crc
0x246640bb
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked_x64
.dll windows x64

85db2c520c2ed9f9d57aed9c49009c24

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

strncpy
memmove
memcmp
NtCreateSection
NtMapViewOfSection
NtUnmapViewOfSection
RtlRandomEx
ZwOpenProcess
ZwOpenProcessToken
ZwClose
ZwQueryInformationToken
NtSuspendProcess
NtQuerySystemInformation
NtResumeProcess
RtlNtStatusToDosError
ZwQueryInformationProcess
sscanf
_strupr
_wcsupr
wcscpy
memset
RtlUpcaseUnicodeString
RtlFreeUnicodeString
ZwQueryKey
sprintf
_snprintf
wcstombs
strcpy
RtlImageNtHeader
mbstowcs
RtlAdjustPrivilege
_memicmp
strstr
memcpy
isxdigit
__C_specific_handler
__chkstk

kernel32

TerminateThread
IsBadReadPtr
QueueUserWorkItem
FileTimeToLocalFileTime
VirtualProtectEx
lstrcmpiW
VirtualFree
GetModuleFileNameW
FileTimeToSystemTime
GetLocalTime
VirtualAlloc
CreateDirectoryA
GetLastError
HeapFree
RemoveDirectoryA
CloseHandle
LoadLibraryA
DeleteFileA
CreateFileA
lstrcpyA
lstrcatA
lstrlenA
WriteFile
HeapAlloc
HeapDestroy
HeapCreate
SetEvent
HeapReAlloc
GetTickCount
lstrlenW
GetCurrentThread
SetWaitableTimer
GetSystemTimeAsFileTime
CreateEventA
DeleteFileW
GetWindowsDirectoryA
GetTempPathA
SuspendThread
CreateDirectoryW
ResumeThread
lstrcpyW
GetModuleHandleA
OpenProcess
CreateThread
SwitchToThread
lstrcatW
CreateFileW
GetCurrentThreadId
DuplicateHandle
Sleep
CopyFileW
LeaveCriticalSection
SetLastError
lstrcmpiA
MapViewOfFile
UnmapViewOfFile
WaitForMultipleObjects
EnterCriticalSection
OpenWaitableTimerA
CreateMutexA
OpenMutexA
ReleaseMutex
CreateWaitableTimerA
SystemTimeToTzSpecificLocalTime
lstrcmpA
GetComputerNameW
InitializeCriticalSection
UnregisterWait
TlsAlloc
RegisterWaitForSingleObject
TlsGetValue
LoadLibraryExW
TlsSetValue
ExitProcess
GetProcAddress
GetFileSize
CreateProcessA
CreateFileMappingA
GetDriveTypeW
WideCharToMultiByte
GetLogicalDriveStringsW
GetFileAttributesA
OpenFileMappingA
GetExitCodeProcess
GetFileAttributesW
lstrcpynA
LocalFree
CreateToolhelp32Snapshot
QueueUserAPC
OpenThread
Thread32Next
ReadFile
ConnectNamedPipe
GetOverlappedResult
CancelIo
DisconnectNamedPipe
FlushFileBuffers
CallNamedPipeA
CreateNamedPipeA
GetSystemTime
WaitNamedPipeA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
SleepEx
OpenEventA
ResetEvent
LocalAlloc
FreeLibrary
RaiseException
GetModuleFileNameA
GetCurrentProcessId
GetVersion
VirtualProtect
DeleteCriticalSection
SetEndOfFile
FindNextFileW
SetFilePointer
FindFirstFileW
RemoveDirectoryW
ExpandEnvironmentStringsW
FindClose
GetTempFileNameA
GetVersionExW
WaitForSingleObject
Thread32First

iphlpapi

GetAdaptersAddresses
GetBestRoute
GetIpAddrTable

oleaut32

VariantClear
SysFreeString
SysAllocString
VariantInit

Sections

.text
Size: 285KB - Virtual size: 285KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

85db2c520c2ed9f9d57aed9c49009c24

Headers

File Characteristics

Imports

ntdll

kernel32

iphlpapi

oleaut32

Sections

.text Size: 285KB - Virtual size: 285KB

.rdata Size: 31KB - Virtual size: 31KB

.data Size: 7KB - Virtual size: 11KB

.pdata Size: 10KB - Virtual size: 9KB

.bss Size: 6KB - Virtual size: 6KB

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 285KB - Virtual size: 285KB

.rdata
Size: 31KB - Virtual size: 31KB

.data
Size: 7KB - Virtual size: 11KB

.pdata
Size: 10KB - Virtual size: 9KB

.bss
Size: 6KB - Virtual size: 6KB

.reloc
Size: 3KB - Virtual size: 4KB