gozi | 69d646441885a01d2203c17d5b38c1772d0f8cb76d0a43d33d143e7a0b13f6f8[.]zip

General

Target

69d646441885a01d2203c17d5b38c1772d0f8cb76d0a43d33d143e7a0b13f6f8.zip
Size

34KB
MD5

4b56f2ab7db0fa81a3ff67224ea21da0
SHA1

8b103b6ebcdbc77cf5c2040d852ee9da0da333ca
SHA256

6e8f53d3f1915e1c4ad6dcf83fb2a0c86b757d6854076671ad84aefccd49fc5d
SHA512

b4f607c8eb7eb1fa50a10fedcc93ae309d960ce6931ad29c3ee7e4a6365493d15db14aa1a0866601ebe800b3dcda3db48d65a1ae824e20864ef0ee050ab4f700
SSDEEP

768:WA0BesizOQWoq7Smrb+TsLeRnSuCKqOWiHLmbyhkdnr:WA0ksizOQWn7msaRSuCKqOWALmb8kdr

Score

10^/10

isfb 5050 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

https://config.edge.skype.com

91.215.85.201

Attributes

base_path
/jerry/
build
250255
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Files

69d646441885a01d2203c17d5b38c1772d0f8cb76d0a43d33d143e7a0b13f6f8.zip
.zip

Password: infected
69d646441885a01d2203c17d5b38c1772d0f8cb76d0a43d33d143e7a0b13f6f8.dll
.dll regsvr32 windows x86

Password: infected

3e85858f9f91b022a15a56437fb6f7c2

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

_snwprintf
memset
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

kernel32

SetThreadAffinityMask
CloseHandle
GetLocaleInfoA
GetSystemDefaultUILanguage
SetThreadPriority
HeapFree
Sleep
ExitThread
lstrlenW
GetLastError
VerLanguageNameA
GetExitCodeThread
HeapCreate
HeapDestroy
GetCurrentThread
SleepEx
WaitForSingleObject
InterlockedDecrement
InterlockedIncrement
HeapAlloc
GetModuleHandleA
GetModuleFileNameW
SetLastError
VirtualProtect
OpenProcess
CreateEventA
GetLongPathNameW
GetVersion
GetCurrentProcessId
TerminateThread
QueueUserAPC
CreateThread
GetProcAddress
LoadLibraryA
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 604B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 735B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 29KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: infected

Password: infected

3e85858f9f91b022a15a56437fb6f7c2

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 604B

.bss Size: 1024B - Virtual size: 735B

.reloc Size: 29KB - Virtual size: 32KB

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 604B

.bss
Size: 1024B - Virtual size: 735B

.reloc
Size: 29KB - Virtual size: 32KB