gozi | eb5218ce153db41158bdf7700ae8a51e415a418bb63896b3a7138ad49b520598[.]8cd6_9a00[.]dll

General

Target

eb5218ce153db41158bdf7700ae8a51e415a418bb63896b3a7138ad49b520598.8cd6_9a00.dll
Size

38KB
MD5

7bb8b5974a947f223ae2b9517a5641d0
SHA1

3dd551351bb7a15a9bb3b3b09611b4b9704e4e91
SHA256

8bf69fe9bf7e1da499c6b18681b836b3dbf31c1ceb304009354217e95bf11999
SHA512

bcddd4038c0482bc9bf6f1aaa7f6ae1505ad89738c421737cb07e3f5df04677745bed96c46601ac7658e989975030825ab4bcd6637e736ae61870b310a97b914
SSDEEP

768:Gn9UckpReivxim+Ky3Yr4YWtaoOGIHnef+Y0cQCKScVsy:CYzFi/IrUQo8HzScz

Score

10^/10

isfb 3500 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3500

C2

init.icecreambob.com

app.updatebrouser.com

fun.lakeofgold.com

Attributes

build
250211
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
eb5218ce153db41158bdf7700ae8a51e415a418bb63896b3a7138ad49b520598.8cd6_9a00.dll

Files

eb5218ce153db41158bdf7700ae8a51e415a418bb63896b3a7138ad49b520598.8cd6_9a00.dll
.dll regsvr32 windows:4 windows x86 arch:x86

4139c221d1b6b96f238c97b827c3e63d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

memset
memcpy
_snwprintf
NtQuerySystemInformation
_aulldiv
RtlUnwind
NtQueryVirtualMemory

shlwapi

StrStrIA

kernel32

WaitForSingleObject
SleepEx
SetThreadAffinityMask
HeapAlloc
GetLastError
HeapCreate
Sleep
HeapFree
GetExitCodeThread
GetLocaleInfoA
ExitThread
GetSystemDefaultUILanguage
lstrlenW
InterlockedDecrement
HeapDestroy
InterlockedIncrement
CloseHandle
SetThreadPriority
GetCurrentThread
VerLanguageNameA
GetModuleFileNameW
CreateFileMappingW
MapViewOfFile
GetSystemTimeAsFileTime
SetLastError
GetModuleHandleA
VirtualProtect
OpenProcess
GetVersion
GetCurrentProcessId
CreateEventA
GetLongPathNameW
QueueUserAPC
CreateThread
TerminateThread
GetProcAddress
LoadLibraryA
VirtualFree
VirtualAlloc

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 604B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1024B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

4139c221d1b6b96f238c97b827c3e63d

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

advapi32

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 5KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 604B

.bss Size: 1024B - Virtual size: 620B

.reloc Size: 28KB - Virtual size: 28KB

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 604B

.bss
Size: 1024B - Virtual size: 620B

.reloc
Size: 28KB - Virtual size: 28KB