gozi | isfb_worker_8c4107362ec6aabe0a4651113e5853b622ba6a3d847a15fdf67487e58c084eb6[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

isfb_worker_8c4107362ec6aabe0a4651113e5853b622ba6a3d847a15fdf67487e58c084eb6.bin
Size

177KB
MD5

db60384be33fe773212c3f5aaf52aeab
SHA1

f16c5da5ef3598f93a8837e62fd7e114649e28a4
SHA256

8c4107362ec6aabe0a4651113e5853b622ba6a3d847a15fdf67487e58c084eb6
SHA512

0e964d852b4446c61c67352d81f2724d18cb48f4786f16c714d7f41d5a25778fe42cbcdf17e4a07487ee5f4f8ae9ba6041c56ec16b5838093ca3fc7fbfc6d0d1
SSDEEP

3072:6sW0r3N7kR0xFRekZI+TMpNG/5ufwDoP/k5znpeGF2zcAtwb8CUcK2ffYd0nXi6Y:Jr3N7lmklTM8ufAoPuznpeGjAtwKct+D

Score

10^/10

isfb 5050 gozi

Malware Config

Extracted

Family

gozi

Botnet

5050

https://avas1t.de/in/loginq/

109.105.198.129

delideta.com

Attributes

base_path
/pictures/
build
250259
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
isfb_worker_8c4107362ec6aabe0a4651113e5853b622ba6a3d847a15fdf67487e58c084eb6.bin

Files

isfb_worker_8c4107362ec6aabe0a4651113e5853b622ba6a3d847a15fdf67487e58c084eb6.bin
.dll windows x86

aa4e7746d212e2ec3803b158ab36fe4e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

sprintf
strstr
ZwQueryInformationToken
ZwOpenProcess
ZwClose
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
NtQueryInformationThread
_wcsupr
memmove
wcscpy
_snprintf
mbstowcs
ZwQueryKey
NtResumeProcess
RtlFreeUnicodeString
RtlUpcaseUnicodeString
NtSuspendProcess
wcstombs
RtlAdjustPrivilege
memset
_strupr
_snwprintf
memcpy
RtlImageNtHeader
NtSetInformationProcess
_aulldiv
_allmul
_chkstk
RtlUnwind
NtQueryVirtualMemory

kernel32

TlsAlloc
GetCurrentDirectoryW
LoadLibraryW
GetVersionExA
VirtualProtectEx
FileTimeToLocalFileTime
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
QueryPerformanceFrequency
GetLocalTime
FileTimeToSystemTime
GetComputerNameExA
GetComputerNameW
QueryPerformanceCounter
GetTempFileNameA
CreateThread
TerminateThread
GetCurrentProcessId
HeapAlloc
HeapFree
WaitForSingleObject
ExitThread
lstrlenW
GetLastError
ResetEvent
CloseHandle
DeleteFileW
CreateFileA
lstrlenA
WriteFile
lstrcatA
CreateDirectoryA
RemoveDirectoryA
LoadLibraryA
DeleteFileA
lstrcpyA
HeapReAlloc
InterlockedIncrement
InterlockedDecrement
SetEvent
GetSystemTimeAsFileTime
HeapDestroy
HeapCreate
GetModuleHandleA
ExitProcess
GetFileSize
lstrcmpA
SetWaitableTimer
CreateDirectoryW
GetTickCount
GetCurrentThread
VirtualFree
GetWindowsDirectoryA
GetCommandLineA
InitializeCriticalSection
OpenProcess
Sleep
CopyFileW
CreateEventA
LeaveCriticalSection
TerminateProcess
CreateFileW
InterlockedExchange
VirtualAlloc
EnterCriticalSection
lstrcmpiW
lstrcatW
GetCurrentThreadId
DuplicateHandle
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
SwitchToThread
MapViewOfFile
UnmapViewOfFile
SetLastError
lstrcmpiA
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
ReleaseMutex
CreateWaitableTimerA
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
RegisterWaitForSingleObject
VirtualProtect
GetVersion
GetProcAddress
OpenEventA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetExitCodeProcess
CreateProcessA
CreateFileMappingA
OpenFileMappingA
LocalFree
lstrcpynA
GlobalLock
GlobalUnlock
Thread32First
Thread32Next
QueueUserAPC
OpenThread
CreateToolhelp32Snapshot
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
GetSystemTime
SleepEx
LocalAlloc
FreeLibrary
RaiseException
DeleteCriticalSection
VirtualQuery
ExpandEnvironmentStringsW
RemoveDirectoryW
SetEndOfFile
SetFilePointer
FindNextFileW
FindClose
GetFileAttributesW
SetFilePointerEx
FindFirstFileW
SetCurrentDirectoryW

Sections

.text
Size: 136KB - Virtual size: 136KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

aa4e7746d212e2ec3803b158ab36fe4e

Headers

File Characteristics

Imports

ntdll

kernel32

Sections

.text Size: 136KB - Virtual size: 136KB

.rdata Size: 14KB - Virtual size: 13KB

.data Size: 4KB - Virtual size: 5KB

.bss Size: 8KB - Virtual size: 8KB

.reloc Size: 13KB - Virtual size: 16KB

.text
Size: 136KB - Virtual size: 136KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 4KB - Virtual size: 5KB

.bss
Size: 8KB - Virtual size: 8KB

.reloc
Size: 13KB - Virtual size: 16KB