gozi | 6c3994c334f1d6ffc8db7e125e27236dd088076ae102b5ec3f0cdcfe23f486f5

Resubmissions

30/10/2023, 13:07

231030-qcva8seh45 10

30/10/2023, 12:57

231030-p6zmdada41 10

Sharing

Copy URL Twitter E-mail

General

Target

6c3994c334f1d6ffc8db7e125e27236dd088076ae102b5ec3f0cdcfe23f486f5
Size

197KB
MD5

234798637593d2f8b94a6c5f4c9857c1
SHA1

9975e21bd3b91a246d22011575642bbdf8cb9163
SHA256

6c3994c334f1d6ffc8db7e125e27236dd088076ae102b5ec3f0cdcfe23f486f5
SHA512

d1698d6e9c60bbcb45a0ca34578b3aac718f03756046c1f0fed5180d05544990d6f4bda7ce65923729679344bf2ce2e79d43093f6304a5771af021423070c428
SSDEEP

3072:D9n4OEF4KEN1vaUtLjCHzB1ANvDu5L/o3huLpiKI/Beo75c7iA9h+zeuCkN9l:75KETvzY/sa5b9LsDl7KVgvJ

Score

10^/10

isfb 1006 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1006

petroilimos.at/clkx25/qw5yt/ftrkp2j

petroilimos.su/cl001/pktre/rtyx

alfgoonop.at/clkx25/qw5yt/ftrkp2j

alpetopgx.at/clkx25/qw5yt/ftrkp2j

grekoiuh.at/clkx25/qw5yt/ftrkp2j

alfgoonop.su/cl001/pktre/rtyx

alpetopgx.su/cl001/pktre/rtyx

foropolios.su/cl001/pktre/rtyx

xor055rox550ytr.com/clkx25/qw5yt/ftrkp2j

ror077rox770ytr.com/clkx25/qw5yt/ftrkp2j

Attributes

exe_type
worker
server_id
44

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6c3994c334f1d6ffc8db7e125e27236dd088076ae102b5ec3f0cdcfe23f486f5

Files

6c3994c334f1d6ffc8db7e125e27236dd088076ae102b5ec3f0cdcfe23f486f5
.exe windows:4 windows x86

d1fe3b438b55612818dd566a71a78a28

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlNtStatusToDosError
RtlUnwind
NtMapViewOfSection
NtCreateSection
ZwQueryInformationProcess
NtSetContextThread
NtGetContextThread
NtUnmapViewOfSection
wcstombs
ZwClose
ZwOpenProcess
ZwOpenProcessToken
ZwQueryInformationToken
mbstowcs
memcpy
memset
_strupr
RtlRandom
NtQueryVirtualMemory

shlwapi

PathFindExtensionA
PathCombineA
StrStrIA
StrStrA
StrRChrA
StrChrA

setupapi

SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA
SetupDiEnumDeviceInfo

kernel32

OpenEventA
lstrlenA
CreateEventA
FindFirstFileA
FindNextFileA
lstrcmpiA
CopyFileA
Sleep
HeapAlloc
SetWaitableTimer
CreateToolhelp32Snapshot
GetFileTime
GetWindowsDirectoryA
CreateProcessA
FindClose
TerminateProcess
ResetEvent
GetCurrentProcess
GetSystemDirectoryA
CompareFileTime
Process32Next
HeapFree
CreateWaitableTimerA
GetTempPathA
SetEvent
WaitForSingleObject
lstrcpyA
DeleteFileA
lstrcatA
Process32First
OpenProcess
GetModuleHandleA
HeapCreate
HeapDestroy
GetCommandLineA
ExitProcess
GetLastError
CloseHandle
CreateFileA
ReadFile
GetTickCount
VirtualProtectEx
ResumeThread
SuspendThread
GetThreadContext
lstrcmpA
lstrcpynA
WriteFile
GetTempFileNameA
ExpandEnvironmentStringsW
CreateFileW
SetEndOfFile
GetFileSize
LocalFree
lstrlenW
GetVersion
GetModuleFileNameW
GetModuleFileNameA
ReadProcessMemory
SetFilePointer
VirtualAllocEx
CreateRemoteThread
GetCurrentProcessId
WriteProcessMemory
GetProcAddress
VirtualAlloc
VirtualFree

user32

GetWindowThreadProcessId
wsprintfA
GetShellWindow

advapi32

RegQueryValueExA
LookupPrivilegeValueA
RegOpenKeyExA
RegEnumKeyExA
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorA
FreeSid
SetSecurityInfo
AllocateAndInitializeSid
OpenProcessToken
SetEntriesInAclA
RegOpenKeyA
RegCreateKeyA
GetTokenInformation
GetSidSubAuthority
GetSidSubAuthorityCount
SetNamedSecurityInfoA
RegCloseKey
GetSecurityInfo
RegSetValueExA

shell32

ShellExecuteA
ord92
ShellExecuteExA

ole32

CoInitializeEx
CoUninitialize

Sections

.text
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 168KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

d1fe3b438b55612818dd566a71a78a28

Headers

File Characteristics

Imports

ntdll

shlwapi

setupapi

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 17KB - Virtual size: 16KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 1KB - Virtual size: 1KB

.bss Size: 1KB - Virtual size: 1KB

.rsrc Size: 168KB - Virtual size: 172KB

.text
Size: 17KB - Virtual size: 16KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 1KB - Virtual size: 1KB

.bss
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 168KB - Virtual size: 172KB