Behavioral task
behavioral1
Sample
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5_unpacked.dll
Resource
win7-20220901-en
General
-
Target
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5_unpacked
-
Size
154KB
-
MD5
47ff8d660f5e9f9f3fe90f1e87403538
-
SHA1
07238187fe576b022a149172cb1653625c377cd2
-
SHA256
ffde622e1ebf2ded6fe1ad3e22a1ea11c3b3944eac2278277ca186facc4457bf
-
SHA512
571a5220f2757b872a63b4c42b5682fdfbc8bd391522d0d4eef611b55a5ca0c6a2253ee1075f260ad2db083722bb63d18aa02f2d6d76d4f5f604217be5aea375
-
SSDEEP
3072:FOt39ZNj9tlzA458K4cs04gZqNWFzSPeuwDqlalXn/fDXqJj0oy9oV13:ytZN9gCs0uNWFziwDqlalvDqJd
Malware Config
Extracted
gozi_ifsb
1100
cyajon.at/krp3cmg
hipohook.cn/krp3cmg
rokolero.at/krp3cmg
arexan.at/krp3cmg
voligon.cn/krp3cmg
qwevigoc.at/krp3cmg
comerail.su/krp3cmg
boombom.at/krp3cmg
xiloker.cn/krp3cmg
xorewopa.at/krp3cmg
goinumder.su/krp3cmg
ribomoon.cn/krp3cmg
ambikooly.at/krp3cmg
therepalon.su/krp3cmg
chikoole.cn/krp3cmg
-
exe_type
worker
-
server_id
110
Signatures
-
Gozi_ifsb family
Files
-
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5_unpacked.dll windows x86
89467b5766ec2187c4e12c46460c59fd
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
ZwOpenProcessToken
ZwOpenProcess
strcpy
NtQuerySystemInformation
ZwQueryInformationProcess
NtMapViewOfSection
NtUnmapViewOfSection
ZwClose
RtlNtStatusToDosError
NtCreateSection
RtlImageNtHeader
ZwQueryInformationToken
_wcsupr
_strupr
_snprintf
memset
wcscpy
RtlUpcaseUnicodeString
ZwQueryKey
RtlFreeUnicodeString
wcstombs
mbstowcs
RtlAdjustPrivilege
memcpy
sprintf
_aulldiv
_allmul
_chkstk
RtlUnwind
NtQueryVirtualMemory
kernel32
CreateProcessA
lstrcmpiW
ResetEvent
GetComputerNameW
SetFilePointerEx
QueueUserWorkItem
GetModuleFileNameW
GetModuleFileNameA
HeapAlloc
GetLastError
RemoveDirectoryA
HeapFree
DeleteFileA
lstrcpyA
LoadLibraryA
CreateFileA
lstrcatA
lstrlenA
WriteFile
CreateDirectoryA
CloseHandle
InterlockedIncrement
InterlockedDecrement
HeapDestroy
HeapCreate
SetEvent
HeapReAlloc
GetTickCount
lstrcatW
CreateDirectoryW
OpenProcess
GetCurrentThreadId
CreateFileW
DuplicateHandle
Sleep
lstrlenW
CopyFileW
DeleteFileW
GetTempPathA
GetCurrentThread
SetWaitableTimer
CreateEventA
InterlockedExchange
SuspendThread
GetSystemTimeAsFileTime
ResumeThread
lstrcpyW
GetWindowsDirectoryA
GetModuleHandleA
CreateThread
SwitchToThread
SetLastError
lstrcmpiA
CreateMutexA
WaitForSingleObject
OpenWaitableTimerA
OpenMutexA
lstrcmpA
ReleaseMutex
GetVersionExA
CreateWaitableTimerA
MapViewOfFile
UnmapViewOfFile
WaitForMultipleObjects
LeaveCriticalSection
InitializeCriticalSection
EnterCriticalSection
RegisterWaitForSingleObject
TlsGetValue
TlsSetValue
LoadLibraryExW
VirtualAlloc
VirtualProtect
UnregisterWait
TlsAlloc
GetProcAddress
GetDriveTypeW
WideCharToMultiByte
OpenFileMappingA
LocalFree
GetLogicalDriveStringsW
GetExitCodeProcess
CreateFileMappingA
GetLocalTime
GetFileSize
lstrcpynA
QueueUserAPC
Thread32First
OpenThread
Thread32Next
CreateToolhelp32Snapshot
CancelIo
ConnectNamedPipe
GetOverlappedResult
DisconnectNamedPipe
GetSystemTime
FlushFileBuffers
CreateNamedPipeA
CallNamedPipeA
WaitNamedPipeA
ReadFile
AddVectoredExceptionHandler
OpenEventA
SleepEx
RemoveVectoredExceptionHandler
LocalAlloc
FreeLibrary
RaiseException
VirtualFree
GetCurrentProcessId
GetVersion
DeleteCriticalSection
FindClose
GetTempFileNameA
SetEndOfFile
ExpandEnvironmentStringsW
SetFilePointer
FindFirstFileW
GetFileAttributesW
FindNextFileW
RemoveDirectoryW
VirtualProtectEx
oleaut32
SysFreeString
VariantClear
SysAllocString
VariantInit
Sections
.text Size: 122KB - Virtual size: 121KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 3KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 10KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ