Behavioral task
behavioral1
Sample
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked.dll
Resource
win7-20220812-en
General
-
Target
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked
-
Size
261KB
-
MD5
b05251161738b4bc6dee62aa4f21665f
-
SHA1
8ff24b1184e51f2ae864f70114428692b636eaf0
-
SHA256
def9435b8197bb085d459e4dab6e34205e8e99e8c4c7a04de97a0b8a16458893
-
SHA512
60e336088f71a6eb8430faefd7b40068de94c9b554a70332f28d9f24a9416ff950ce65dbb1572d1206084feb5b8f67e81f32fc3cc583058106f712edab593fca
-
SSDEEP
6144:/t6K00pbSzCcqlalSwHnFZkCN5BQfccGjlrwxce4GjE:k8pb0Ccqgl/FXN5BxVrwxcm
Malware Config
Extracted
gozi_ifsb
10008
jscallowallowallowjcli.me
disallowjscuserallow.pw
-
build
215801
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0x246640bb
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi_ifsb family
Files
-
2952a6ad1ba0a56ea176672f3ec9b1ad8a92836839dc51f592eb253db60c96af_unpacked.dll windows x86
73beb34b87a48bf290dd30626db51bc9
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
strncpy
memmove
memcmp
NtUnmapViewOfSection
NtCreateSection
NtMapViewOfSection
RtlRandomEx
ZwOpenProcess
ZwClose
ZwQueryInformationToken
ZwOpenProcessToken
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
strstr
_strupr
_wcsupr
wcscpy
memset
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
strcpy
sprintf
_snprintf
RtlAdjustPrivilege
memcpy
RtlImageNtHeader
isxdigit
_memicmp
mbstowcs
sscanf
_allmul
_aulldiv
_allshl
_alldiv
RtlUnwind
NtQueryVirtualMemory
kernel32
QueueUserWorkItem
FileTimeToLocalFileTime
VirtualProtectEx
lstrcmpiW
GetModuleFileNameW
FileTimeToSystemTime
GetModuleFileNameA
GetLocalTime
VirtualFree
CreateDirectoryA
CloseHandle
GetLastError
HeapAlloc
RemoveDirectoryA
DeleteFileA
HeapFree
lstrcpyA
LoadLibraryA
CreateFileA
lstrcatA
lstrlenA
WriteFile
GetTickCount
InterlockedIncrement
InterlockedDecrement
HeapDestroy
HeapCreate
SetEvent
HeapReAlloc
lstrcpyW
GetWindowsDirectoryA
GetModuleHandleA
CreateThread
SwitchToThread
lstrcatW
CreateDirectoryW
OpenProcess
CreateFileW
GetCurrentThreadId
DuplicateHandle
Sleep
lstrlenW
CopyFileW
DeleteFileW
GetTempPathA
SetWaitableTimer
GetCurrentThread
CreateEventA
InterlockedExchange
GetSystemTimeAsFileTime
SuspendThread
ResumeThread
OpenWaitableTimerA
OpenMutexA
ReleaseMutex
CreateWaitableTimerA
WaitForSingleObject
GetComputerNameW
lstrcmpA
SetLastError
WaitForMultipleObjects
IsBadReadPtr
LeaveCriticalSection
EnterCriticalSection
MapViewOfFile
UnmapViewOfFile
CreateMutexA
InitializeCriticalSection
UnregisterWait
TlsAlloc
RegisterWaitForSingleObject
TlsGetValue
TlsSetValue
LoadLibraryExW
VirtualAlloc
VirtualProtect
GetProcAddress
GetDriveTypeW
WideCharToMultiByte
OpenFileMappingA
GetLogicalDriveStringsW
GetFileAttributesA
GetExitCodeProcess
GetFileAttributesW
CreateFileMappingA
CreateProcessA
GetFileSize
lstrcpynA
Thread32Next
CreateToolhelp32Snapshot
QueueUserAPC
Thread32First
OpenThread
CallNamedPipeA
WaitNamedPipeA
ReadFile
CancelIo
ConnectNamedPipe
GetOverlappedResult
DisconnectNamedPipe
GetSystemTime
FlushFileBuffers
CreateNamedPipeA
SleepEx
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
OpenEventA
ResetEvent
LocalAlloc
FreeLibrary
RaiseException
GetCurrentProcessId
GetVersion
DeleteCriticalSection
GetTempFileNameA
SetEndOfFile
ExpandEnvironmentStringsW
SetFilePointer
FindFirstFileW
FindNextFileW
RemoveDirectoryW
FindClose
TerminateThread
SystemTimeToTzSpecificLocalTime
lstrcmpiA
LocalFree
iphlpapi
GetAdaptersAddresses
GetIpAddrTable
GetBestRoute
oleaut32
VariantInit
SysFreeString
VariantClear
SysAllocString
Sections
.text Size: 218KB - Virtual size: 218KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 19KB - Virtual size: 18KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 12KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ