gozi | 12123834144[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

12123834144.zip
Size

132KB
MD5

501be31724a9cc7db6478729121f4c86
SHA1

43d2c2b5ec2dfcbd29b44e4d1fe2bf785a70b387
SHA256

c0d87b1aabfebda3315eb5958eccd912c7511577f386a03116853b9108aab6c4
SHA512

810f1efdd02cc6c89958c5c9cba39c82992a6b669279845b2c241407f518b864dee65d12fa3c2a4b71818b0d6ff7632a827e16a9da8ec3f45334fba4769c61d0
SSDEEP

3072:QpnhPOt8C8iY0Ij9Dag8B2Eb14rE5vHlA30Bv:wlS8C8i9IjEpuEhHzv

Score

10^/10

isfb 2000 gozi

Malware Config

Extracted

Family

gozi

Botnet

2000

trackingg2-protectioon.cdn4.mozilla.net

109.230.199.185

trackingg3-protectioon.cdn5.mozilla.net

185.212.44.249

trackingg4-protectioon.cdn5.mozilla.net

194.76.225.37

trackingg5-protectioon.cdn1.mozilla.net

194.76.224.181

trackingg-protectioon.cdn1.mozilla.net

194.76.225.164

trackingg3-protectioon.cdn6.mozilla.net

185.158.251.205

trackingg-protectioon.cdn2.mozilla.net

185.189.149.216

trackingg5-protectioon.cdn3.mozilla.net

185.158.249.54

trackingg-protectioon.cdn4.mozilla.net

185.212.44.130

trackingg1-protectioon.cdn5.mozilla.net

37.10.71.83

Attributes

base_path
/fonts/
exe_type
worker
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/dc641a85150af5ede0e9a4ab23144a578889bbee7163addf9e97b5fab7d09fc8

Files

12123834144.zip
.zip

Password: infected
dc641a85150af5ede0e9a4ab23144a578889bbee7163addf9e97b5fab7d09fc8
.dll windows:5 windows x64

Password: infected

81de4ee1071a8320787d7c9e149ace7f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ZwOpenProcess
ZwQueryInformationToken
NtSetInformationProcess
sprintf
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
NtQueryInformationThread
_wcsupr
memmove
wcscpy
_snprintf
mbstowcs
ZwQueryKey
NtResumeProcess
RtlFreeUnicodeString
RtlUpcaseUnicodeString
NtSuspendProcess
wcstombs
RtlAdjustPrivilege
memset
_strupr
_snwprintf
memcpy
RtlImageNtHeader
ZwClose
__C_specific_handler
__chkstk
RegisterWaitForSingleObject
VirtualProtectEx
FileTimeToLocalFileTime
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
QueryPerformanceFrequency
GetLocalTime
FileTimeToSystemTime
GetComputerNameExA
GetComputerNameW
QueryPerformanceCounter
GetTempFileNameA
CreateThread
TerminateThread
GetCurrentProcessId
GetVersion
DeleteCriticalSection
HeapAlloc
HeapFree
WaitForSingleObject
ExitThread
lstrlenW
GetLastError
ResetEvent
CloseHandle
DeleteFileW
CreateFileA
lstrlenA
WriteFile
lstrcatA
CreateDirectoryA
RemoveDirectoryA
LoadLibraryA
DeleteFileA
lstrcpyA
HeapReAlloc
SetEvent
GetSystemTimeAsFileTime
HeapDestroy
HeapCreate
GetModuleHandleA
ExitProcess
GetFileSize
lstrcmpA
SetWaitableTimer
CreateDirectoryW
GetTickCount
GetCurrentThread
VirtualFree
GetWindowsDirectoryA
GetCommandLineA
InitializeCriticalSection
OpenProcess
Sleep
CopyFileW
CreateEventA
LeaveCriticalSection
TerminateProcess
CreateFileW
VirtualAlloc
EnterCriticalSection
lstrcmpiW
lstrcatW
GetCurrentThreadId
DuplicateHandle
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
SwitchToThread
MapViewOfFile
UnmapViewOfFile
SetLastError
lstrcmpiA
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
ReleaseMutex
CreateWaitableTimerA
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
VirtualQuery
VirtualProtect
TlsAlloc
GetProcAddress
OpenEventA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetExitCodeProcess
CreateProcessA
CreateFileMappingA
OpenFileMappingA
LocalFree
lstrcpynA
GlobalLock
GlobalUnlock
Thread32First
Thread32Next
QueueUserAPC
OpenThread
CreateToolhelp32Snapshot
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
GetSystemTime
SleepEx
LocalAlloc
FreeLibrary
RaiseException
ExpandEnvironmentStringsW
RemoveDirectoryW
SetEndOfFile
SetFilePointer
FindNextFileW
FindClose
GetFileAttributesW
SetFilePointerEx
FindFirstFileW
GetVersionExA

Sections

.text
Size: 179KB - Virtual size: 179KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

81de4ee1071a8320787d7c9e149ace7f

Headers

File Characteristics

Imports

Sections

.text Size: 179KB - Virtual size: 179KB

.rdata Size: 22KB - Virtual size: 22KB

.data Size: 6KB - Virtual size: 8KB

.pdata Size: 6KB - Virtual size: 6KB

.bss Size: 8KB - Virtual size: 8KB

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 179KB - Virtual size: 179KB

.rdata
Size: 22KB - Virtual size: 22KB

.data
Size: 6KB - Virtual size: 8KB

.pdata
Size: 6KB - Virtual size: 6KB

.bss
Size: 8KB - Virtual size: 8KB

.reloc
Size: 3KB - Virtual size: 4KB