Behavioral task
behavioral1
Sample
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked_x64.dll
Resource
win7-20220812-en
General
-
Target
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked_x64
-
Size
177KB
-
MD5
b4d2cdc7fffc68ca3ec95c30b96e3d18
-
SHA1
b4db6203fbecf2ef38372e0f9bbc3fe960e1f07a
-
SHA256
f17c218281891da09fc54ff6cff10e8434a6710b3c0de540cd9ffd0c593792b3
-
SHA512
349ee2feb39dddbe55ec33dd52a8b1988a2579cbcc40d89c1e6d330f46e2484561c41221b5c5f533581123044a4dfe89b78ac19d54c37241920965bcf721b4e7
-
SSDEEP
3072:isTmBr1+87Wxn+ppJL49PdrtPAle/9o+qZZHIxlYDkImLPq:81Vu+4dr9R/9o+q8l1q
Malware Config
Extracted
gozi_ifsb
1071
127.0.0.1
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi_ifsb family
Files
-
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab_unpacked_x64.dll windows x64
447ce0359c740bcdcd142bf7530fe5fd
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntdll
ZwClose
ZwQueryInformationToken
ZwOpenProcessToken
NtCreateSection
NtUnmapViewOfSection
NtMapViewOfSection
NtQuerySystemInformation
RtlNtStatusToDosError
ZwQueryInformationProcess
memcpy
_strupr
_wcsupr
wcscpy
memset
RtlFreeUnicodeString
ZwQueryKey
RtlUpcaseUnicodeString
sprintf
_snprintf
wcstombs
strcpy
RtlImageNtHeader
mbstowcs
RtlAdjustPrivilege
ZwOpenProcess
__C_specific_handler
kernel32
WideCharToMultiByte
FileTimeToLocalFileTime
SystemTimeToFileTime
FileTimeToSystemTime
GetLocalTime
VirtualAlloc
GetModuleFileNameA
OpenProcess
CreateRemoteThread
VirtualFree
GetModuleFileNameW
DeleteCriticalSection
FindClose
GetTempFileNameA
CloseHandle
LoadLibraryA
LocalFree
CreateFileA
DeleteFileA
LocalAlloc
lstrcpyA
lstrcatA
lstrlenA
WriteFile
HeapAlloc
CreateDirectoryA
GetLastError
HeapFree
OutputDebugStringA
RemoveDirectoryA
HeapDestroy
HeapCreate
SetEvent
HeapReAlloc
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
CreateFileW
Sleep
CopyFileW
DeleteFileW
lstrlenW
GetCurrentThread
GetTempPathA
SetWaitableTimer
CreateEventA
GetSystemTimeAsFileTime
SuspendThread
ResumeThread
GetWindowsDirectoryA
lstrcpyW
CreateThread
SwitchToThread
CreateDirectoryW
lstrcatW
ReleaseMutex
WaitForSingleObject
GetComputerNameW
CreateWaitableTimerA
lstrcmpA
GetSystemTime
LeaveCriticalSection
SetLastError
MapViewOfFile
lstrcmpiA
UnmapViewOfFile
WaitForMultipleObjects
EnterCriticalSection
OpenWaitableTimerA
CreateMutexA
OpenMutexA
InitializeCriticalSection
LoadLibraryExW
GetModuleHandleA
UnregisterWait
RegisterWaitForSingleObject
GetProcAddress
GetDriveTypeW
SetEndOfFile
GetLogicalDriveStringsW
GetFileAttributesA
GetExitCodeProcess
OpenFileMappingA
GetFileAttributesW
GetFileSize
CreateProcessA
CreateFileMappingA
lstrcpynA
TlsGetValue
TlsSetValue
TlsAlloc
GlobalUnlock
VirtualProtect
GetLongPathNameW
GlobalLock
Thread32First
CreateToolhelp32Snapshot
QueueUserAPC
OpenThread
Thread32Next
ReadFile
ConnectNamedPipe
GetOverlappedResult
CancelIo
DisconnectNamedPipe
FlushFileBuffers
CallNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
AddVectoredExceptionHandler
SleepEx
OpenEventA
RemoveVectoredExceptionHandler
ResetEvent
FreeLibrary
RaiseException
FindNextFileW
SetFilePointer
FindFirstFileW
RemoveDirectoryW
ExpandEnvironmentStringsW
GetVersion
VirtualProtectEx
Sections
.text Size: 134KB - Virtual size: 134KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 24KB - Virtual size: 24KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 5KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.bss Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ