CreateProcessNotify
Behavioral task
behavioral1
Sample
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked.dll
Resource
win7-20220812-en
General
-
Target
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked
-
Size
146KB
-
MD5
9b14a37463b58a73d05d34adf8003ef7
-
SHA1
71b3581a17acc5112c4a9fcc9957ca0bdd54ab8a
-
SHA256
90a75fcaa0c8da7865da027c84793cdfdef64d26d3ac7172ea8bbce2e63f4c15
-
SHA512
462bb96e9359e4dec8814ec8ec8d6f96cc56f6804c488eb26a7e183e22d56f9fa97705e6ac3dba7cf9dee30da1e3326aef31be1087ba805bfe3dd77f6ba038c9
-
SSDEEP
3072:pLdrePUath0c2HxGLLRQy2Ty1qlalXnGv+Zhc2t3zJnmWpH0/p:pdrezthd2HxyLRQvTgqlalJDt3zJnmWp
Malware Config
Extracted
gozi_ifsb
1010
supportsstats.com/geodata/version/ip2ext
neteworkgroup.com/geodata/version/ip2ext
highnetwork.pw/geodata/version/ip2ext
lostnetwork.in/geodata/version/ip2ext
sysconnections.net/geodata/version/ip2ext
lansupports.com/geodata/version/ip2ext
-
build
212578
-
exe_type
worker
-
server_id
30
Signatures
-
Gozi_ifsb family
Files
-
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked.dll windows x86
35bb816e49c8b3cc0ca8df1afd98b8c6
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
NtCreateSection
sprintf
ZwQueryInformationToken
ZwOpenProcessToken
ZwOpenProcess
ZwClose
strcpy
NtGetContextThread
ZwQueryInformationProcess
NtUnmapViewOfSection
NtSetContextThread
RtlAdjustPrivilege
_strupr
_wcsupr
memset
wcscpy
ZwQueryKey
wcstombs
RtlImageNtHeader
mbstowcs
memcpy
NtMapViewOfSection
RtlNtStatusToDosError
_aulldiv
_allmul
_chkstk
RtlUnwind
NtQueryVirtualMemory
kernel32
CreateToolhelp32Snapshot
SetFilePointerEx
QueueUserWorkItem
FileTimeToLocalFileTime
GetCurrentProcess
VirtualProtectEx
GetThreadContext
lstrcmpiW
lstrcmpW
GetModuleFileNameA
ReadProcessMemory
OpenProcess
CloseHandle
CreateDirectoryA
GetLastError
HeapAlloc
RemoveDirectoryA
DeleteFileA
lstrcpyA
HeapFree
LoadLibraryA
CreateFileA
lstrcatA
lstrlenA
WriteFile
InterlockedIncrement
InterlockedDecrement
HeapDestroy
HeapCreate
SetEvent
HeapReAlloc
GetTickCount
DeleteFileW
Sleep
lstrlenW
GetTempPathA
CopyFileW
SuspendThread
ResumeThread
SetWaitableTimer
CreateEventA
lstrcpyW
GetCurrentThread
InterlockedExchange
CreateThread
SwitchToThread
GetSystemTimeAsFileTime
GetWindowsDirectoryA
lstrcatW
CreateDirectoryW
GetCurrentThreadId
lstrcmpiA
WaitForSingleObject
GetComputerNameW
LeaveCriticalSection
CreateMutexA
EnterCriticalSection
MapViewOfFile
UnmapViewOfFile
ReleaseMutex
CreateWaitableTimerA
WaitForMultipleObjects
InitializeCriticalSection
RegisterWaitForSingleObject
LoadLibraryExW
GetModuleHandleA
SetLastError
VirtualProtect
VirtualAlloc
UnregisterWait
GetProcAddress
GetDriveTypeW
OpenFileMappingA
WideCharToMultiByte
LocalFree
GetLogicalDriveStringsW
GetExitCodeProcess
CreateFileMappingA
CreateProcessA
CreateFileW
GetFileSize
lstrcpynA
TlsGetValue
TlsSetValue
TlsAlloc
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalLock
GlobalUnlock
Thread32Next
GetLocalTime
QueueUserAPC
Thread32First
OpenThread
CreateNamedPipeA
CallNamedPipeA
WaitNamedPipeA
ReadFile
CancelIo
ConnectNamedPipe
GetOverlappedResult
GetSystemTime
DisconnectNamedPipe
FlushFileBuffers
AddVectoredExceptionHandler
SleepEx
RemoveVectoredExceptionHandler
ResetEvent
LocalAlloc
FreeLibrary
RaiseException
CreateRemoteThread
VirtualAllocEx
VirtualFree
WriteProcessMemory
GetModuleFileNameW
FileTimeToSystemTime
GetCurrentProcessId
GetVersion
DeleteCriticalSection
lstrcmpA
RemoveDirectoryW
FindClose
GetTempFileNameA
SetEndOfFile
ExpandEnvironmentStringsW
SetFilePointer
FindFirstFileW
GetFileAttributesW
FindNextFileW
oleaut32
SysFreeString
VariantClear
SysAllocString
VariantInit
Exports
Exports
Sections
.text Size: 114KB - Virtual size: 113KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 12KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 3KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 6KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 9KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ