gozi | 4f30000[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4f30000.dll
Size

52KB
MD5

694790fcc1f523f755dc7c37f8489d92
SHA1

44b5a04319a478c9db2f1598b03e1db249540b40
SHA256

c8fc1b1f3470fdab97ed5e2d61b23caaf77d0a757993eab67144bf1fc0800774
SHA512

454f4640a959dc936b1bf9876174275034db21c528d4a972517390bbe7e2f34fc43f1641ae8c177f1ee62a0a8d2c0da21e642bce7a2555f73ee78f70e1571009
SSDEEP

768:wg7utFyMcDYENEyjQfE8YCX+OkKE/mOp9Sy6Cse8z7jMOtXCw4XQ:wuAcMcp8YCX+OkKm5Sy6Cse8PjMO2X

Score

10^/10

isfb 5050 gozi

Malware Config

Extracted

Family

gozi

Botnet

5050

C2

https://avas1ta.com/in/login/

itwicenice.com

Attributes

base_path
/jerry/
build
250259
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4f30000.dll

Files

4f30000.dll
.dll windows x86

b1e1d582732e4e48ca192109b68c23b4

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ord2
ord16
ord15
ord6

Sections

.text
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ