gozi | unpacked_sample[.]dll

General

Target

unpacked_sample.dll
Size

56KB
MD5

d960b574ee755efb105b16ddcb6e8ac4
SHA1

c9065f7aa61a613f0caece1fba92183d75619427
SHA256

f59b112154fa7b5d054be2543b3ece90ba0c1eb828edc2636602368f2213aadc
SHA512

167ce1a182c0756ebff40cceed6ef7ae66b19d854e5ba258e135f4c514c2b321e7ed8364e6436aa4a50ca9b74b606a11e82afe0b5fd9c7116411e37898ad509c
SSDEEP

768:A2XtFm6/yekvj2va2FyZWjlC/gL8MNF7yNcYNzB1BA5V53vrUZKmdbhrknZ:xi6qeSjpUAsw/gfBWD1ybm1hiZ

Score

10^/10

isfb 5050 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

https://avas1ta.com/in/login/

itwicenice.com

Attributes

base_path
/jerry/
build
250259
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpacked_sample.dll

Files

unpacked_sample.dll
.dll regsvr32 windows x86

3e85858f9f91b022a15a56437fb6f7c2

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

_snwprintf
memset
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

kernel32

SetThreadAffinityMask
CloseHandle
GetLocaleInfoA
GetSystemDefaultUILanguage
SetThreadPriority
HeapFree
Sleep
ExitThread
lstrlenW
GetLastError
VerLanguageNameA
GetExitCodeThread
HeapCreate
HeapDestroy
GetCurrentThread
SleepEx
WaitForSingleObject
InterlockedDecrement
InterlockedIncrement
HeapAlloc
GetModuleHandleA
GetModuleFileNameW
SetLastError
VirtualProtect
OpenProcess
CreateEventA
GetLongPathNameW
GetVersion
GetCurrentProcessId
TerminateThread
QueueUserAPC
CreateThread
GetProcAddress
LoadLibraryA
MapViewOfFile
GetSystemTimeAsFileTime
CreateFileMappingW

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

3e85858f9f91b022a15a56437fb6f7c2

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 4KB - Virtual size: 4KB

.bss Size: 4KB - Virtual size: 4KB

.reloc Size: 32KB - Virtual size: 32KB

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 4KB

.bss
Size: 4KB - Virtual size: 4KB

.reloc
Size: 32KB - Virtual size: 32KB