Behavioral task
behavioral1
Sample
25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061_unpacked_dropper.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061_unpacked_dropper.exe
Resource
win10v2004-20220901-en
General
-
Target
25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061_unpacked_dropper
-
Size
389KB
-
MD5
04832ccd1d9a951945d523e9c58b06a6
-
SHA1
c9d3326d99ee3713f92be5666fc6145c6d2a3019
-
SHA256
c218b2c7fab9005b62277dfff6ccb01875e079fb3b4dc408dad92bfda3f3a162
-
SHA512
3756092c2e190603d4fadd5fc61ca9d227160620c745131b4b1ab6f0eb6b3eb47be06df32d36a459a52570471e9b2140234467fbc94f133dde0e267b11a828d2
-
SSDEEP
12288:lBSnsckkOIIlGgqLMSvOaXhunQEHAHzrTXOl2:bokh2gSv9huIXTK
Malware Config
Extracted
gozi_ifsb
2002
test1.ru
-
build
216843
-
dga_base_url
opensource.apple.com/source/Security/Security-29/SecureTransport/LICENSE.txt?txt
-
dga_crc
0x6f0b167a
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi_ifsb family
Files
-
25bdab9cf1c2dbb6e96e1b0797a4facaa0c3469164f1653328e4357fb421e061_unpacked_dropper.exe windows x86
24813c4477f977fa61a9889834c22245
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
mbstowcs
memcpy
memset
ZwOpenProcessToken
ZwClose
ZwOpenProcess
ZwQueryInformationToken
NtQuerySystemInformation
RtlNtStatusToDosError
ZwQueryInformationProcess
RtlFreeUnicodeString
NtMapViewOfSection
NtUnmapViewOfSection
NtCreateSection
RtlUpcaseUnicodeString
RtlUnwind
NtQueryVirtualMemory
shlwapi
StrChrA
StrRChrA
PathFindExtensionW
PathCombineW
PathFindExtensionA
StrStrIA
StrTrimW
StrChrW
PathFindFileNameW
setupapi
SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetDeviceRegistryPropertyA
kernel32
SetEvent
GetTickCount
HeapFree
CreateEventA
GetExitCodeProcess
CreateProcessA
lstrlenW
GetLastError
GetProcAddress
ResetEvent
lstrcmpiW
lstrcatW
DeleteFileW
CreateWaitableTimerA
SetFileAttributesW
SetWaitableTimer
HeapAlloc
GetModuleHandleA
HeapCreate
HeapDestroy
GetCommandLineW
ExitProcess
CloseHandle
ReadFile
WaitForSingleObject
CreateFileA
Sleep
GetLongPathNameW
SuspendThread
VirtualProtectEx
lstrcmpA
GetTempPathA
GetTempFileNameA
CreateDirectoryA
GetFileSize
FreeLibrary
lstrcpynA
GetModuleFileNameA
lstrcmpiA
SetLastError
GetModuleFileNameW
GetCurrentProcess
InitializeCriticalSection
TerminateThread
GetVersionExW
LeaveCriticalSection
VirtualAlloc
EnterCriticalSection
LoadLibraryA
IsWow64Process
GetCurrentThreadId
GetCurrentProcessId
ResumeThread
CreateThread
VirtualFree
OpenProcess
GetVersion
lstrlenA
ExpandEnvironmentStringsA
lstrcatA
lstrcpyA
ExpandEnvironmentStringsW
LocalFree
SetEndOfFile
CompareFileTime
CreateDirectoryW
WriteFile
CreateFileW
FlushFileBuffers
FindFirstFileA
FindClose
FindNextFileA
GetFileTime
lstrcpyW
SetFilePointer
user32
GetCursorInfo
DispatchMessageW
DefWindowProcW
EndMenu
SendMessageW
GetClassWord
SetWindowsHookExW
CreateWindowExW
AppendMenuA
CreatePopupMenu
SetClassLongW
TrackPopupMenuEx
SetWinEventHook
RegisterClassExW
TranslateMessage
CallNextHookEx
PostMessageW
GetMessageW
DestroyWindow
wsprintfW
wsprintfA
FindWindowA
advapi32
OpenProcessToken
RegDeleteValueW
RegEnumKeyExA
RegOpenKeyW
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
RegSetValueExW
RegOpenKeyA
RegCreateKeyA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegCloseKey
RegOpenKeyExA
RegQueryValueExW
RegSetValueExA
RegQueryValueExA
shell32
ord92
ShellExecuteW
ShellExecuteExW
ole32
CoUninitialize
CoInitializeEx
Sections
.text Size: 23KB - Virtual size: 22KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 357KB - Virtual size: 360KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ