gozi_ifsb | 42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676_unpacked_dropper

Sharing

Copy URL

Twitter E-mail

General

Target

42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676_unpacked_dropper
Size

234KB
MD5

20175483f1ce240ee7bdb36e212f7107
SHA1

63b7747390a57220c2b3a1d174806f91ebe828b0
SHA256

2f5ea1a62fc13005fa827ebb5ae0df55fac1a81428d9fd99c24f771aef6a3f70
SHA512

2a0cec9b768dc8460dc2af753b3e59e6c27d31a13298e55a4c7a894d6158a92bfeae8db3f141cd23113237b9c3f94132e873294548a38212c8786937d897b2eb
SSDEEP

3072:/nIQbLqvw4+fXJ0yGUtIlF6jUFjSi73sMlZDeDptJMvZanVid6LQa0VwDbrVcWJ8:/IsWUf5KoqQa7sMlYtJwa0mP9qu8

Score

10^/10

1001 gozi_ifsb

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1001

Attributes

build
215840
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
exe_type
worker
server_id
93

rsa_pubkey.plain

serpent.plain

Signatures

Gozi_ifsb family
gozi_ifsb

Files

42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676_unpacked_dropper
.exe windows x86

0bb4fad7255bba7ccb23dbc767056f7e

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

ZwOpenProcessToken
ZwOpenProcess
RtlNtStatusToDosError
memcpy
memset
NtQuerySystemInformation
ZwQueryInformationProcess
ZwClose
NtUnmapViewOfSection
NtMapViewOfSection
RtlUpcaseUnicodeString
NtCreateSection
mbstowcs
ZwQueryInformationToken
RtlFreeUnicodeString
RtlUnwind
NtQueryVirtualMemory

shlwapi

StrRChrA
PathFindExtensionA
StrChrA
PathFindExtensionW
PathCombineW
PathFindFileNameW
StrChrW
StrTrimW

kernel32

DeleteFileW
CloseHandle
CreateWaitableTimerA
SetFileAttributesW
GetTickCount
SwitchToThread
CreateProcessA
SetEvent
CreateEventA
GetProcAddress
GetLastError
lstrcatW
Sleep
HeapFree
lstrcmpiW
lstrlenW
SetWaitableTimer
HeapAlloc
GetCommandLineW
ExitProcess
GetModuleHandleA
HeapCreate
HeapDestroy
WaitForSingleObject
ResetEvent
GetModuleFileNameW
SuspendThread
VirtualProtectEx
ResumeThread
GetFileSize
GetTempFileNameA
CreateDirectoryA
GetTempPathA
lstrcmpA
lstrcpynA
LocalFree
WriteFile
GetVersion
GetCurrentProcessId
GetLongPathNameW
OpenProcess
ReadFile
FindClose
CreateFileW
GetModuleFileNameA
lstrcatA
CreateFileA
VirtualFree
SetLastError
lstrcmpiA
lstrcpyA
VirtualAlloc
SetFilePointer
lstrlenA
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
FindNextFileA
SetEndOfFile
GetFileTime
CompareFileTime
lstrcpyW
CreateDirectoryW
FlushFileBuffers
FindFirstFileA

user32

wsprintfA
wsprintfW
FindWindowA

advapi32

GetSidSubAuthorityCount
RegEnumKeyExA
RegOpenKeyW
RegDeleteValueW
GetTokenInformation
OpenProcessToken
GetSidSubAuthority
RegQueryValueExA
RegCreateKeyA
RegSetValueExW
RegSetValueExA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegCloseKey
RegQueryValueExW
RegOpenKeyExA
RegOpenKeyA

shell32

ShellExecuteExW
ShellExecuteW
ord92

ole32

CoInitializeEx
CoUninitialize

Sections

.text
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 209KB - Virtual size: 212KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

0bb4fad7255bba7ccb23dbc767056f7e

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 17KB - Virtual size: 16KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 1024B - Virtual size: 1KB

.bss Size: 2KB - Virtual size: 1KB

.rsrc Size: 209KB - Virtual size: 212KB

.text
Size: 17KB - Virtual size: 16KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 1024B - Virtual size: 1KB

.bss
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 209KB - Virtual size: 212KB