Behavioral task
behavioral1
Sample
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff_unpacked.dll
Resource
win7-20220812-en
General
-
Target
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff_unpacked
-
Size
151KB
-
MD5
215deda6c849d1c2da60253d35ee9e09
-
SHA1
4136b0341013085b16aa6c5568506b14fa88f40e
-
SHA256
b72d412ba4cebb19928816d686b9ef214cbe4e843a4f0760ea1364260595ada8
-
SHA512
9056727a55a98f486f2d9d7815ed5bc2d45d15d5fa0057913b5ce2b35a1dcff74f01f7bf7ee516f460ab98ebc061f20f4b66aaf8bde12c0a675523337a3b0fef
-
SSDEEP
3072:DsajR3l2w1I4c2CtZIwGC2qlalXnuQRAja1dLouddR6d702+ENQzLDgsf5WS:DVR1/gD94qlal+jE8uddkd70B9f/
Malware Config
Extracted
gozi_ifsb
3000
romaya.ru
matashka.ru
matashka399.ru
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi_ifsb family
Files
-
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff_unpacked.dll windows x86
4cc7183bb2d3fbfa5214e9e4b489f02c
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
ZwQueryInformationToken
ZwOpenProcess
ZwClose
ZwOpenProcessToken
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
memcpy
_wcsupr
wcscpy
memset
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
_snprintf
strcpy
sprintf
RtlImageNtHeader
RtlAdjustPrivilege
mbstowcs
NtCreateSection
NtUnmapViewOfSection
NtMapViewOfSection
_strupr
_aulldiv
_allmul
_chkstk
RtlUnwind
NtQueryVirtualMemory
kernel32
LocalFree
SetFilePointerEx
FileTimeToLocalFileTime
VirtualProtectEx
lstrcmpiW
GetModuleFileNameA
GetLocalTime
GetModuleFileNameW
FileTimeToSystemTime
CreateRemoteThread
VirtualFree
GetCurrentProcessId
GetVersion
CreateFileA
lstrlenA
HeapAlloc
HeapFree
WriteFile
lstrcatA
CreateDirectoryA
GetLastError
RemoveDirectoryA
LoadLibraryA
CloseHandle
DeleteFileA
lstrcpyA
HeapReAlloc
InterlockedIncrement
InterlockedDecrement
SetEvent
GetTickCount
HeapDestroy
HeapCreate
SetWaitableTimer
CreateDirectoryW
GetCurrentThread
GetSystemTimeAsFileTime
GetWindowsDirectoryA
Sleep
CopyFileW
CreateEventA
CreateFileW
lstrlenW
lstrcatW
GetCurrentThreadId
DeleteFileW
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
CreateThread
SwitchToThread
lstrcmpA
MapViewOfFile
UnmapViewOfFile
WaitForSingleObject
GetComputerNameW
LeaveCriticalSection
SetLastError
lstrcmpiA
EnterCriticalSection
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
ReleaseMutex
CreateWaitableTimerA
InitializeCriticalSection
UnregisterWait
LoadLibraryExW
InterlockedExchange
VirtualAlloc
RegisterWaitForSingleObject
GetModuleHandleA
VirtualProtect
GetProcAddress
GetFileSize
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetExitCodeProcess
CreateProcessA
CreateFileMappingA
OpenFileMappingA
OpenProcess
lstrcpynA
TlsGetValue
TlsSetValue
TlsAlloc
GlobalLock
GlobalUnlock
Thread32First
Thread32Next
QueueUserAPC
OpenThread
CreateToolhelp32Snapshot
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
GetSystemTime
RemoveVectoredExceptionHandler
SleepEx
AddVectoredExceptionHandler
OpenEventA
ResetEvent
LocalAlloc
FreeLibrary
RaiseException
DeleteCriticalSection
ExpandEnvironmentStringsW
FindNextFileW
RemoveDirectoryW
FindClose
GetTempFileNameA
GetFileAttributesW
SetEndOfFile
SetFilePointer
FindFirstFileW
oleaut32
VariantInit
VariantClear
SysAllocString
SysFreeString
Sections
.text Size: 118KB - Virtual size: 118KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 12KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 3KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 6KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 10KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ