gozi | f651336201727dbaa8b6c532b17960ba50a0fc14cd7fedf69abca5ed1df7dfde

General

Target

f651336201727dbaa8b6c532b17960ba50a0fc14cd7fedf69abca5ed1df7dfde
Size

56KB
MD5

5db8ffc60eb887c76d1b4e1ad2c34e78
SHA1

81beca874e05e0011a126b26e6cca691e5515bfd
SHA256

f651336201727dbaa8b6c532b17960ba50a0fc14cd7fedf69abca5ed1df7dfde
SHA512

3a57533fad557ced9806dcf97905787c639b936e9638d1e4e5275c0a396dbe4b17650067e5185bfdeb348f1aa4636bced83f91237d34876303d7b5a2933196ee
SSDEEP

768:BUBXO235a8MXEv8ycPr8mA0i2V0hhXhhjYko8FVgihBfULeY2:Sx348edvPrl6tYkhVVbULw

Score

10^/10

isfb 999 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

999

C2

config.edge.skype.com

146.70.35.138

146.70.35.142

Attributes

base_path
/phpadmin/
build
250227
exe_type
loader
extension
.src
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Files

f651336201727dbaa8b6c532b17960ba50a0fc14cd7fedf69abca5ed1df7dfde
.dll regsvr32 windows x86

7c62ab7d5f2ed68e4989689e898c43c4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

_snwprintf
memset
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

kernel32

SetThreadAffinityMask
CloseHandle
HeapAlloc
SetThreadPriority
Sleep
ExitThread
lstrlenW
GetLastError
GetExitCodeThread
HeapCreate
HeapDestroy
GetCurrentThread
SleepEx
WaitForSingleObject
InterlockedDecrement
InterlockedIncrement
HeapFree
GetModuleFileNameW
SetLastError
GetModuleHandleA
VirtualProtect
OpenProcess
CreateEventA
GetLongPathNameW
GetVersion
GetCurrentProcessId
TerminateThread
QueueUserAPC
CreateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

7c62ab7d5f2ed68e4989689e898c43c4

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 4KB - Virtual size: 4KB

.bss Size: 4KB - Virtual size: 4KB

.reloc Size: 32KB - Virtual size: 32KB

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 4KB

.bss
Size: 4KB - Virtual size: 4KB

.reloc
Size: 32KB - Virtual size: 32KB