gozi | a17278301c0bf3525ad25c88335440dc

Sharing

Copy URL

Twitter E-mail

General

Target

a17278301c0bf3525ad25c88335440dc
Size

223KB
MD5

a17278301c0bf3525ad25c88335440dc
SHA1

7a0e4877dde054d545f4efe000181e047e9e8204
SHA256

ce6fd95f85fe4fa57f678974c3690cf829887fb7723de85d3a51e64199b780c7
SHA512

9715c511cc242548d15ceceaf402ef6b576823fb1d496667afb5ca43ca447c46930c989f418c4ad129aa4f516ae239ae5811ea9960d3ac1a583cbfa2cecd312f
SSDEEP

6144:dHExb7VwvtKNbnvSxYNiyf+D3LuDXy5eHQ:Kxb5wvtKRvSxY0G+D7urnQ

Score

10^/10

isfb 1001 gozi

Malware Config

Extracted

Family

gozi

Botnet

1001

updates.esset.com

jensjen.in

strongbilt.cc

drauduburr.ws

besstrown.cn

druckenshtalen.mn

grantedii.co

loudam62.tk

libricee.in

burbasoftw.pw

waiseen.io

trumphujtebevrot.bit

ymxslfmppjcvwkrjtfnr.co

ohnjjxasfxgxiakhtohn.in

hnhccsotdqftyicvossk.at

xcgrdxcmfirfvignnfea.ws

umvwdtbenbinronbohcc.pw

Attributes

base_path
/images/
dga_season
10
dns_servers
107.174.86.134
107.175.127.22
exe_type
worker
extension
.avi
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

a17278301c0bf3525ad25c88335440dc

resource
a17278301c0bf3525ad25c88335440dc

Files

a17278301c0bf3525ad25c88335440dc
.dll windows:5 windows x64 arch:x64

a2bba8f9bc87dc77d912b0ff63f31a67

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ZwClose
ZwOpenProcess
ZwQueryInformationToken
NtSetInformationProcess
sprintf
ZwOpenProcessToken
strcpy
ZwQueryInformationProcess
RtlNtStatusToDosError
NtQuerySystemInformation
_wcsupr
memmove
wcscpy
_snprintf
mbstowcs
ZwQueryKey
RtlFreeUnicodeString
RtlUpcaseUnicodeString
wcstombs
RtlAdjustPrivilege
memset
_strupr
_snwprintf
memcpy
RtlImageNtHeader
NtQueryInformationThread
__C_specific_handler
RegisterWaitForSingleObject
VirtualProtectEx
FileTimeToLocalFileTime
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
QueryPerformanceFrequency
GetLocalTime
FileTimeToSystemTime
GetComputerNameExA
GetComputerNameW
QueryPerformanceCounter
GetTempFileNameA
CreateThread
TerminateThread
GetCurrentProcessId
GetVersion
HeapAlloc
HeapFree
WaitForSingleObject
ExitThread
lstrlenW
GetLastError
ResetEvent
CloseHandle
DeleteFileW
CreateFileA
lstrlenA
WriteFile
lstrcatA
CreateDirectoryA
RemoveDirectoryA
LoadLibraryA
DeleteFileA
lstrcpyA
HeapReAlloc
SetEvent
GetSystemTimeAsFileTime
HeapDestroy
HeapCreate
GetModuleHandleA
ExitProcess
GetFileSize
lstrcmpA
SetWaitableTimer
CreateDirectoryW
GetTickCount
GetCurrentThread
VirtualFree
GetWindowsDirectoryA
GetCommandLineA
InitializeCriticalSection
OpenProcess
Sleep
CopyFileW
CreateEventA
LeaveCriticalSection
TerminateProcess
CreateFileW
VirtualAlloc
EnterCriticalSection
lstrcmpiW
lstrcatW
GetCurrentThreadId
DuplicateHandle
GetTempPathA
SuspendThread
ResumeThread
lstrcpyW
SwitchToThread
MapViewOfFile
UnmapViewOfFile
SetLastError
lstrcmpiA
OpenWaitableTimerA
OpenMutexA
WaitForMultipleObjects
CreateMutexA
ReleaseMutex
CreateWaitableTimerA
UnregisterWait
TlsGetValue
LoadLibraryExW
TlsSetValue
GetVersionExA
VirtualProtect
TlsAlloc
OpenEventA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetProcAddress
GetDriveTypeW
GetLogicalDriveStringsW
WideCharToMultiByte
GetFileAttributesA
GetExitCodeProcess
GetFileAttributesW
CreateProcessA
CreateFileMappingA
OpenFileMappingA
lstrcpynA
GlobalLock
GlobalUnlock
LocalFree
Thread32First
Thread32Next
QueueUserAPC
OpenThread
CreateToolhelp32Snapshot
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
ReadFile
GetOverlappedResult
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
CancelIo
GetSystemTime
SleepEx
LocalAlloc
FreeLibrary
RaiseException
DeleteCriticalSection
VirtualQuery
ExpandEnvironmentStringsW
FindNextFileW
RemoveDirectoryW
FindClose
SetEndOfFile
SetFilePointer
FindFirstFileW

Sections

.text
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

a2bba8f9bc87dc77d912b0ff63f31a67

Headers

File Characteristics

Imports

Sections

.text Size: 178KB - Virtual size: 178KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 6KB - Virtual size: 7KB

.pdata Size: 6KB - Virtual size: 5KB

.bss Size: 8KB - Virtual size: 8KB

.reloc Size: 3KB - Virtual size: 4KB

.text
Size: 178KB - Virtual size: 178KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 6KB - Virtual size: 7KB

.pdata
Size: 6KB - Virtual size: 5KB

.bss
Size: 8KB - Virtual size: 8KB

.reloc
Size: 3KB - Virtual size: 4KB