gozi_ifsb | 25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061_unpacked

Sharing

Copy URL

Twitter E-mail

General

Target

25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061_unpacked
Size

277KB
MD5

960a14f61af3e94c0702736f097dab03
SHA1

0f0d1e38b522de60976a229872d7691cd1288f73
SHA256

9801ea6ea41220f101cbeca1cd3a2bbb033ccb9f04b3e121b62c47b2cb4112cc
SHA512

500df57c19673f93039341f697ac9e93e17e659b225e9736d496b7dfa7248e7f014add640ebbb22e07a45db779181db82f36f92a7ab20a6ab95cd79c6cd9a10a
SSDEEP

6144:7RWLJJp6tgWJLsnp5TlovshucMRuDdIGptJqlalRtNwh8zGd34:IFJeCTTc8uyiGptJqglfNwhRI

Score

10^/10

2002 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2002

test1.ru

Attributes

dga_base_url
opensource.apple.com/source/Security/Security-29/SecureTransport/LICENSE.txt?txt
dga_crc
0x6f0b167a
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061_unpacked
.dll windows x86

527bab13e4997ee22e4b4c8fed77c0bb

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

sscanf
_memicmp
strncpy
memmove
memcmp
RtlRandomEx
ZwQueryInformationToken
ZwOpenProcess
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
NtQuerySystemInformation
NtCreateSection
ZwClose
RtlNtStatusToDosError
NtMapViewOfSection
memcpy
_snprintf
_wcsupr
_strupr
wcscpy
memset
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
RtlImageNtHeader
RtlAdjustPrivilege
mbstowcs
strstr
isxdigit
NtUnmapViewOfSection
sprintf
_allmul
_aulldiv
_allshl
_alldiv
_chkstk
RtlUnwind
NtQueryVirtualMemory

kernel32

SetFilePointerEx
SystemTimeToTzSpecificLocalTime
TerminateThread
IsBadReadPtr
QueueUserWorkItem
FileTimeToLocalFileTime
SystemTimeToFileTime
GetModuleFileNameA
GetLocalTime
GetModuleFileNameW
CreateFileA
lstrlenA
HeapAlloc
HeapFree
WriteFile
lstrcatA
CreateDirectoryA
GetLastError
RemoveDirectoryA
LoadLibraryA
CloseHandle
DeleteFileA
lstrcpyA
HeapReAlloc
InterlockedIncrement
InterlockedDecrement
SetEvent
GetTickCount
HeapDestroy
HeapCreate
SetWaitableTimer
CreateDirectoryW
GetCurrentThread
GetSystemTimeAsFileTime
GetWindowsDirectoryA
OpenProcess
Sleep
CopyFileW
CreateEventA
CreateFileW
lstrlenW
InterlockedExchange
GetModuleHandleA
lstrcatW
GetCurrentThreadId
DuplicateHandle
DeleteFileW
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
CreateThread
SwitchToThread
lstrcmpA
MapViewOfFile
UnmapViewOfFile
WaitForSingleObject
LeaveCriticalSection
SetLastError
lstrcmpiA
EnterCriticalSection
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
GetComputerNameW
CreateWaitableTimerA
GetSystemTime
InitializeCriticalSection
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
VirtualAlloc
RegisterWaitForSingleObject
VirtualProtect
TlsAlloc
GetProcAddress
GetFileSize
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetExitCodeProcess
CreateProcessA
CreateFileMappingA
OpenFileMappingA
LocalFree
lstrcpynA
GlobalLock
GlobalUnlock
Thread32First
Thread32Next
QueueUserAPC
OpenThread
FileTimeToSystemTime
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
RemoveVectoredExceptionHandler
SleepEx
AddVectoredExceptionHandler
OpenEventA
LocalAlloc
FreeLibrary
RaiseException
VirtualFree
GetCurrentProcessId
GetVersion
DeleteCriticalSection
ExpandEnvironmentStringsW
FindNextFileW
RemoveDirectoryW
FindClose
GetTempFileNameA
GetFileAttributesW
SetEndOfFile
SetFilePointer
FindFirstFileW
VirtualProtectEx
ResetEvent
lstrcmpiW
ReleaseMutex
CreateToolhelp32Snapshot

iphlpapi

GetAdaptersAddresses
GetIpAddrTable
GetBestRoute

oleaut32

VariantInit
VariantClear
SysAllocString
SysFreeString

Sections

.text
Size: 230KB - Virtual size: 230KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

527bab13e4997ee22e4b4c8fed77c0bb

Headers

File Characteristics

Imports

ntdll

kernel32

iphlpapi

oleaut32

Sections

.text Size: 230KB - Virtual size: 230KB

.rdata Size: 22KB - Virtual size: 21KB

.data Size: 4KB - Virtual size: 5KB

.bss Size: 6KB - Virtual size: 6KB

.reloc Size: 13KB - Virtual size: 16KB

.text
Size: 230KB - Virtual size: 230KB

.rdata
Size: 22KB - Virtual size: 21KB

.data
Size: 4KB - Virtual size: 5KB

.bss
Size: 6KB - Virtual size: 6KB

.reloc
Size: 13KB - Virtual size: 16KB