gozi | 038ec883e88a6bd5c8d463d0fd83c63f

Sharing

Copy URL

Twitter E-mail

General

Target

038ec883e88a6bd5c8d463d0fd83c63f
Size

223KB
MD5

038ec883e88a6bd5c8d463d0fd83c63f
SHA1

691362d6ed6f2d1c585c5f58eb102e2680a7604b
SHA256

19d751d21d2767150e79258084727da36cc2203ccfb79a66d9973b8ea5c3f862
SHA512

f1d2a3c8472991ce1900b63905803abe62f019f22e4b94c81d8e02665264aedf573cf8b9ae9c6af0644b46512c62c89acaff51f699bb3715c9e2ca0b45bdec36
SSDEEP

6144:dHExb7VwvtKNbnvSxYNiyf+D3LuDXy5aHQ:Kxb5wvtKRvSxY0G+D7urTQ

Score

10^/10

isfb 1001 gozi

Malware Config

Extracted

Family

gozi

Botnet

1001

updates.esset.com

jensjen.in

strongbilt.cc

drauduburr.ws

besstrown.cn

druckenshtalen.mn

grantedii.co

loudam62.tk

libricee.in

burbasoftw.pw

waiseen.io

trumphujtebevrot.bit

ymxslfmppjcvwkrjtfnr.co

ohnjjxasfxgxiakhtohn.in

hnhccsotdqftyicvossk.at

xcgrdxcmfirfvignnfea.ws

umvwdtbenbinronbohcc.pw

Attributes

base_path
/images/
dga_season
10
dns_servers
107.174.86.134
107.175.127.22
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

038ec883e88a6bd5c8d463d0fd83c63f

resource
038ec883e88a6bd5c8d463d0fd83c63f

Files

038ec883e88a6bd5c8d463d0fd83c63f
.dll windows:5 windows x64 arch:x64

a2bba8f9bc87dc77d912b0ff63f31a67

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ZwClose
ZwOpenProcess
ZwQueryInformationToken
NtSetInformationProcess
sprintf
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
_wcsupr
memmove
wcscpy
_snprintf
mbstowcs
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
RtlAdjustPrivilege
memset
_strupr
_snwprintf
memcpy
RtlImageNtHeader
NtQueryInformationThread
__C_specific_handler
RegisterWaitForSingleObject
VirtualProtectEx
FileTimeToLocalFileTime
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
QueryPerformanceFrequency
GetLocalTime
FileTimeToSystemTime
GetComputerNameExA
GetComputerNameW
QueryPerformanceCounter
GetTempFileNameA
CreateThread
TerminateThread
GetCurrentProcessId
GetVersion
HeapAlloc
HeapFree
WaitForSingleObject
ExitThread
lstrlenW
GetLastError
ResetEvent
CloseHandle
DeleteFileW
CreateFileA
lstrlenA
WriteFile
lstrcatA
CreateDirectoryA
RemoveDirectoryA
LoadLibraryA
DeleteFileA
lstrcpyA
HeapReAlloc
SetEvent
GetSystemTimeAsFileTime
HeapDestroy
HeapCreate
GetModuleHandleA
ExitProcess
GetFileSize
lstrcmpA
SetWaitableTimer
CreateDirectoryW
GetTickCount
GetCurrentThread
VirtualFree
GetWindowsDirectoryA
GetCommandLineA
InitializeCriticalSection
OpenProcess
Sleep
CopyFileW
CreateEventA
LeaveCriticalSection
TerminateProcess
CreateFileW
VirtualAlloc
EnterCriticalSection
lstrcmpiW
lstrcatW
GetCurrentThreadId
DuplicateHandle
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
SwitchToThread
MapViewOfFile
UnmapViewOfFile
SetLastError
lstrcmpiA
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
ReleaseMutex
CreateWaitableTimerA
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
GetVersionExA
VirtualProtect
TlsAlloc
OpenEventA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetProcAddress
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetFileAttributesA
GetExitCodeProcess
GetFileAttributesW
CreateProcessA
CreateFileMappingA
OpenFileMappingA
lstrcpynA
GlobalLock
GlobalUnlock
LocalFree
Thread32First
Thread32Next
QueueUserAPC
OpenThread
CreateToolhelp32Snapshot
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
GetSystemTime
SleepEx
LocalAlloc
FreeLibrary
RaiseException
DeleteCriticalSection
VirtualQuery
ExpandEnvironmentStringsW
FindNextFileW
RemoveDirectoryW
FindClose
SetEndOfFile
SetFilePointer
FindFirstFileW

Sections

.text
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

a2bba8f9bc87dc77d912b0ff63f31a67

Headers

File Characteristics

Imports

Sections

.text Size: 178KB - Virtual size: 178KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 6KB - Virtual size: 7KB

.pdata Size: 6KB - Virtual size: 5KB

.bss Size: 8KB - Virtual size: 8KB

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 178KB - Virtual size: 178KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 6KB - Virtual size: 7KB

.pdata
Size: 6KB - Virtual size: 5KB

.bss
Size: 8KB - Virtual size: 8KB

.reloc
Size: 3KB - Virtual size: 4KB