gozi | 6b645497a72175e510164553e888443b

General

Target

6b645497a72175e510164553e888443b
Size

64KB
MD5

6b645497a72175e510164553e888443b
SHA1

55c6c5b81b35713fd833cc934b9be80d378d67b7
SHA256

cc35beb3f7b5fd6a38b1775f110f9ab527c90f3cf6e76b02e074dc2954955a4c
SHA512

896b39ebfc5f21f3762292fdebd264ffad05ecad023d0b24c243d54f358be43abbf97eb2c2ceddaaa5b41a1e7da1218fdb2a4d44accd25fc66151d730c74a54d
SSDEEP

768:e/MqAiv8x/jkl/UagT8OCyyGAfp/SZjGjCfaURLgujh/S+enjOTKIzoCtwznW:aMqAJY23T8fDGAx/Sm0guFKQvzNiznW

Score

10^/10

isfb 8877 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

8877

C2

outlook.com

zaluoa.live

daskdjknefjkewfnkjwe.net

Attributes

base_path
/jkloop/
build
250207
dga_season
10
exe_type
loader
extension
.kre
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

6b645497a72175e510164553e888443b

resource
6b645497a72175e510164553e888443b

Files

6b645497a72175e510164553e888443b
.dll regsvr32 windows:4 windows x86 arch:x86

9b4bd5e9c744a772e2cae4b95c84d26f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapAlloc
GetLastError
GetSystemTime
Sleep
SwitchToThread
HeapFree
SetThreadAffinityMask
ExitThread
lstrlenW
SleepEx
WaitForSingleObject
HeapCreate
InterlockedDecrement
HeapDestroy
InterlockedIncrement
CloseHandle
SetThreadPriority
GetCurrentThread
GetExitCodeThread
VirtualProtect
GetModuleFileNameW
SetLastError
GetModuleHandleA
GetLongPathNameW
OpenProcess
GetVersion
GetCurrentProcessId
CreateEventA
QueueUserAPC
CreateThread
TerminateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc
CreateFileMappingW
GetSystemTimeAsFileTime
MapViewOfFile

ntdll

_snwprintf
memset
memcpy
_aulldiv
RtlUnwind
NtQueryVirtualMemory

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

9b4bd5e9c744a772e2cae4b95c84d26f

Headers

File Characteristics

Imports

kernel32

ntdll

advapi32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 4KB - Virtual size: 4KB

.bss Size: 4KB - Virtual size: 4KB

.reloc Size: 36KB - Virtual size: 36KB

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 4KB

.bss
Size: 4KB - Virtual size: 4KB

.reloc
Size: 36KB - Virtual size: 36KB