gozi_ifsb | 4b373042809dbc09043c9aa5d2ac7570b91327fc47c8caef918c72ba786f33b4_unpacked_dropper

Sharing

Copy URL

Twitter E-mail

General

Target

4b373042809dbc09043c9aa5d2ac7570b91327fc47c8caef918c72ba786f33b4_unpacked_dropper
Size

384KB
MD5

27cfb7a32d1fafc0dca536f86cb5e67e
SHA1

89e82fd9d69a5f509b04b63bde416ff87529d956
SHA256

a558843d65663eec952cb252d3a3412c6a093425da7a501f124b104e537899aa
SHA512

223b0a80cfff717af0b9677d7311f8e521748549b7277a9a469573a147d6b16723237ad5dafe5e3509fcd88b10c5d76f4b42a657c16e504534bba9a9350f44b7
SSDEEP

6144:pXeakGSCdlUIwqIQLZ4brf9NRPPS9kUKqAlaZdsqGsuCWYo4ubQsV:aKeTqhLZ4/f9NRmkD3ansqGtCrg

Score

10^/10

gozi_ifsb

Malware Config

Signatures

Gozi_ifsb family
gozi_ifsb

Files

4b373042809dbc09043c9aa5d2ac7570b91327fc47c8caef918c72ba786f33b4_unpacked_dropper
.exe windows x86

c65bc0d52cb010ec037ec05fb491539c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlNtStatusToDosError
memset
NtUnmapViewOfSection
NtMapViewOfSection
memcpy
ZwClose
NtCreateSection
mbstowcs
ZwOpenProcessToken
ZwOpenProcess
ZwQueryInformationToken
NtQuerySystemInformation
RtlFreeUnicodeString
ZwQueryInformationProcess
RtlUpcaseUnicodeString
RtlUnwind
NtQueryVirtualMemory

shlwapi

StrRChrA
PathFindExtensionW
PathFindFileNameW
StrChrA
PathCombineW
StrStrIA
StrTrimW
StrChrW
PathFindFileNameA
PathFindExtensionA

setupapi

SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetDeviceRegistryPropertyA

kernel32

SetEvent
GetTickCount
Sleep
HeapFree
CreateProcessA
lstrlenW
GetLastError
GetProcAddress
ResetEvent
LoadLibraryA
lstrcmpiW
lstrcatW
DeleteFileW
CreateWaitableTimerA
SetFileAttributesW
SetWaitableTimer
HeapAlloc
GetModuleHandleA
HeapCreate
HeapDestroy
GetCommandLineW
ExitProcess
CloseHandle
ReadFile
WaitForSingleObject
CreateFileA
CreateEventA
VirtualProtectEx
lstrcmpA
GetTempPathA
GetTempFileNameA
CreateDirectoryA
GetFileSize
lstrcpynA
GetModuleFileNameA
VirtualAlloc
lstrcmpiA
SetLastError
GetModuleFileNameW
VirtualFree
OpenProcess
SuspendThread
ResumeThread
GetLongPathNameW
GetVersion
GetCurrentProcessId
lstrlenA
ExpandEnvironmentStringsA
lstrcatA
lstrcpyA
ExpandEnvironmentStringsW
LocalFree
SetEndOfFile
CompareFileTime
CreateDirectoryW
WriteFile
CreateFileW
FlushFileBuffers
FindFirstFileA
FindClose
FindNextFileA
GetFileTime
lstrcpyW
SetFilePointer

user32

wsprintfA
wsprintfW
GetCursorInfo

advapi32

OpenProcessToken
RegDeleteValueW
RegEnumKeyExA
RegOpenKeyW
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
RegSetValueExW
RegOpenKeyA
RegCreateKeyA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegCloseKey
RegOpenKeyExA
RegQueryValueExW
RegSetValueExA
RegQueryValueExA

shell32

ord92
ShellExecuteW
ShellExecuteExW

ole32

CoUninitialize
CoInitializeEx

Sections

.text
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 358KB - Virtual size: 360KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c65bc0d52cb010ec037ec05fb491539c

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

shlwapi

setupapi

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 17KB - Virtual size: 17KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 1024B - Virtual size: 1KB

.bss Size: 2KB - Virtual size: 1KB

.rsrc Size: 358KB - Virtual size: 360KB

.text
Size: 17KB - Virtual size: 17KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 1024B - Virtual size: 1KB

.bss
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 358KB - Virtual size: 360KB