Behavioral task
behavioral1
Sample
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked_dropper.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked_dropper.exe
Resource
win10v2004-20220901-en
General
-
Target
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked_dropper
-
Size
367KB
-
MD5
45c3677c1f85d800c5ff3d0783bc0472
-
SHA1
38b7e90f6c5bd955a6d14d5b9f86fb22e9cc8020
-
SHA256
217831226a3f69dc927d01f6696315294fcf7c9738ba9955bdbffbd9076ea0aa
-
SHA512
eee6f4f7e6fc1975b1383e785fb638ee190b3692edb005cd094eada268954d7daea77e229f2a7928be3a01b04152f476293f02db5693776a70a03b9a76b839eb
-
SSDEEP
6144:UvBWQQqJizCS6EEXMvZyRC7YmqY28nzXLFy9wvK7SEg7b03oW8rykdvuj5dS17ui:U5WQBE8FX+ZZ77qYBgKv4Xg5RryGWldY
Malware Config
Extracted
gozi_ifsb
10008
jscallowallowallowjcli.me
disallowjscuserallow.pw
-
build
215801
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0x246640bb
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi_ifsb family
Files
-
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked_dropper.exe windows x86
c86646a9ae29aab475d42a42a14cfef0
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
RtlUnwind
mbstowcs
memset
ZwQueryInformationProcess
NtQuerySystemInformation
RtlNtStatusToDosError
memcpy
ZwOpenProcessToken
ZwQueryInformationToken
ZwOpenProcess
NtUnmapViewOfSection
NtMapViewOfSection
NtCreateSection
RtlUpcaseUnicodeString
ZwClose
RtlFreeUnicodeString
NtQueryVirtualMemory
shlwapi
StrChrA
StrTrimW
PathFindExtensionW
StrChrW
PathFindFileNameW
PathFindExtensionA
PathCombineW
StrRChrA
kernel32
CreateProcessA
ResetEvent
HeapFree
CloseHandle
DeleteFileW
CreateDirectoryW
CreateFileW
CreateWaitableTimerA
lstrcatA
SetEvent
lstrcpyW
SetFileAttributesW
Sleep
lstrcpyA
lstrlenW
SwitchToThread
SetEndOfFile
CreateEventA
FlushFileBuffers
FindNextFileA
FindFirstFileA
HeapAlloc
lstrcmpiW
GetLastError
SetWaitableTimer
GetTickCount
GetExitCodeProcess
GetProcAddress
lstrcatW
VirtualProtectEx
SuspendThread
lstrcmpA
FreeLibrary
WriteFile
FindClose
GetFileTime
CompareFileTime
CreateFileA
GetCommandLineW
ExitProcess
GetModuleHandleA
HeapCreate
HeapDestroy
WaitForSingleObject
ExpandEnvironmentStringsA
LocalFree
lstrcpynA
lstrcmpiA
SetLastError
GetModuleFileNameA
GetModuleFileNameW
ExpandEnvironmentStringsW
GetTempPathA
ReadFile
lstrlenA
SetFilePointer
GetFileSize
GetTempFileNameA
CreateDirectoryA
GetVersion
OpenProcess
GetCurrentProcess
GetCurrentProcessId
ResumeThread
CreateThread
VirtualAlloc
EnterCriticalSection
LoadLibraryA
InitializeCriticalSection
IsWow64Process
TerminateThread
GetVersionExW
LeaveCriticalSection
GetCurrentThreadId
VirtualFree
GetLongPathNameW
user32
SendMessageW
SetClassLongW
EndMenu
CallNextHookEx
CreatePopupMenu
DefWindowProcW
AppendMenuA
PostMessageW
GetMessageW
TranslateMessage
GetClassWord
TrackPopupMenuEx
wsprintfW
FindWindowA
wsprintfA
SetWinEventHook
SetWindowsHookExW
DispatchMessageW
RegisterClassExW
DestroyWindow
CreateWindowExW
advapi32
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegDeleteValueW
RegEnumKeyExA
RegOpenKeyW
RegCreateKeyA
GetTokenInformation
RegOpenKeyExA
RegQueryValueExW
RegSetValueExW
GetSidSubAuthorityCount
GetSidSubAuthority
RegCloseKey
RegQueryValueExA
OpenProcessToken
RegOpenKeyA
RegSetValueExA
shell32
ord92
ShellExecuteW
ShellExecuteExW
ole32
CoUninitialize
CoInitializeEx
Sections
.text Size: 21KB - Virtual size: 20KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 338KB - Virtual size: 340KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ