gozi | 4bd3b41d373e85a5478838040fc56f50 | Triage

Sharing

General

Target

4bd3b41d373e85a5478838040fc56f50
Size

54KB
MD5

4bd3b41d373e85a5478838040fc56f50
SHA1

d11b606daf2f2909320afc672797372683c1362e
SHA256

c0d7e8fdc01774859e64b3bf827cefa7800391db0b8fe52028ea738182f18ad4
SHA512

8f88346f6ee4b706ccddb46e60190d4b29d0318d5d6ae517a61bf4ccb03cb0e77c11f7691d437af12603c75ddcce80202efddabebde17bf96e95e32eb0be072f
SSDEEP

1536:81EAiXqlalXCloEQc1g6m6W6xVKV4OQrnP:81EAiXqlalGoEnqCPs4OQj

Score

10^/10

isfb 1001 gozi

Malware Config

Extracted

Family

gozi

Botnet

1001

C2

update1.avast.com

zilbon.ws

update2.avira.com

lumpet.co

emerald.ws

ferroun.in

Attributes

base_path
/sreamble/
build
250207
dga_season
10
exe_type
loader
extension
.sre
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

4bd3b41d373e85a5478838040fc56f50

Files

4bd3b41d373e85a5478838040fc56f50
.dll windows:4 windows x86 arch:x86

e9244b914da8ab3aa7f5dab62d3fe787

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ord6
ord16
ord15
ord2

Sections

.text
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ