Behavioral task
behavioral1
Sample
1416-58-0x00000000001F0000-0x00000000001FE000-memory.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1416-58-0x00000000001F0000-0x00000000001FE000-memory.dll
Resource
win10v2004-20240226-en
General
-
Target
1416-58-0x00000000001F0000-0x00000000001FE000-memory.dmp
-
Size
56KB
-
MD5
4f81b31addb341c6a35d3b01b2025e8a
-
SHA1
14742e07ca600dfd009a15f5ec7884cd0ffa6a36
-
SHA256
1b4193409f97394db766eaeb33397bb879409f03cab7e54dc1f9a09c28697a31
-
SHA512
c501ae7936922ac0646046bd27c2a46858f9b9e592c7c45b88f6f0678961434748634f9a6e91251bd82a6b583f5eb74bf6916729a495bc18c8a22ebb4b213bfd
-
SSDEEP
768:A2R1W1xm3L4xvRy5NGQgGoKItuFe666yuwyF8sj1YsFVOZd43HmIt6J:PMbm3L4f2oKItuLn3kfsLs9/
Malware Config
Extracted
gozi
Extracted
gozi
5050
https://config.edge.skype.com
91.215.85.201
-
base_path
/jerry/
-
build
250255
-
exe_type
loader
-
extension
.bob
-
server_id
50
Signatures
-
Gozi family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 1416-58-0x00000000001F0000-0x00000000001FE000-memory.dmp
Files
-
1416-58-0x00000000001F0000-0x00000000001FE000-memory.dmp.dll windows:5 windows x86 arch:x86
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Sections
.text Size: 6KB - Virtual size: 1.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1KB - Virtual size: 1.9MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 2.0MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 1024B - Virtual size: 2.0MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 29KB - Virtual size: 2.0MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ