gozi | 672c3cd4eb8a5e4dc974c8f14a23f23f5863c5fb8cc1043c49771de715259dde

Sharing

Copy URL Twitter E-mail

General

Target

672c3cd4eb8a5e4dc974c8f14a23f23f5863c5fb8cc1043c49771de715259dde
Size

389KB
MD5

a4fba9e65561ef7ae0e681c518c86098
SHA1

8ebe5177fa6d04d0dcb64c597d438fc462629d0a
SHA256

672c3cd4eb8a5e4dc974c8f14a23f23f5863c5fb8cc1043c49771de715259dde
SHA512

8197f6e90aff671cf3ce83beec1046cb2f87c8d85eece44d34e0c6f02cbb6979a77d8ddc356ccddbf3fe2e7b53f49ce68d9f7557e5d15c12c09e9f89c4928201
SSDEEP

6144:hOfMEEPVKwJSsCpGvsDiftw+25vEmP1AMuBmFbHbQ8PCvqgzSOAK94Om5x/6:VJRCQ4iFN25xWfmF/dCvqgzSzKWS

Score

10^/10

isfb gozi

Malware Config

Extracted

Family

gozi

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
672c3cd4eb8a5e4dc974c8f14a23f23f5863c5fb8cc1043c49771de715259dde

Files

672c3cd4eb8a5e4dc974c8f14a23f23f5863c5fb8cc1043c49771de715259dde
.exe windows:4 windows x86 arch:x86

e01fed2479e6e3c696505c1007fe7920

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

NtCreateSection
memset
NtMapViewOfSection
NtUnmapViewOfSection
memcpy
RtlNtStatusToDosError
ZwClose
mbstowcs
ZwOpenProcess
ZwOpenProcessToken
ZwQueryInformationToken
ZwQueryInformationProcess
RtlUpcaseUnicodeString
NtQuerySystemInformation
RtlFreeUnicodeString
RtlUnwind
NtQueryVirtualMemory

shlwapi

PathFindFileNameW
PathCombineW
PathFindExtensionA
PathFindExtensionW
StrChrA
StrStrIA
StrTrimW
StrChrW
PathFindFileNameA
StrRChrA

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsA
SetupDiGetDeviceRegistryPropertyA

kernel32

CreateEventA
GetProcAddress
SetEvent
GetLastError
ResetEvent
DeleteFileW
LoadLibraryA
CreateWaitableTimerA
GetTickCount
SetFileAttributesW
CreateProcessA
HeapAlloc
SetWaitableTimer
lstrlenW
HeapFree
lstrcmpiW
lstrcatW
Sleep
HeapCreate
HeapDestroy
GetCommandLineW
ExitProcess
GetModuleHandleA
CloseHandle
CreateFileA
ReadFile
WaitForSingleObject
SuspendThread
lstrcmpA
CreateDirectoryA
GetTempPathA
GetFileSize
GetTempFileNameA
lstrcpynA
lstrcmpiA
SetLastError
GetModuleFileNameA
GetModuleFileNameW
SetFilePointer
OpenProcess
ResumeThread
VirtualProtectEx
GetVersion
GetCurrentProcessId
GetLongPathNameW
lstrcpyA
lstrcatA
lstrlenA
CreateDirectoryW
lstrcpyW
FlushFileBuffers
FindFirstFileA
FindClose
WriteFile
FindNextFileA
SetEndOfFile
CompareFileTime
CreateFileW
GetFileTime
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
LocalFree
VirtualAlloc
VirtualFree

user32

wsprintfW
wsprintfA
GetCursorInfo

advapi32

RegSetValueExW
RegEnumKeyExA
RegOpenKeyW
RegDeleteValueW
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
RegQueryValueExA
RegCreateKeyA
RegOpenKeyA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegQueryValueExW
RegOpenKeyExA
RegCloseKey
OpenProcessToken
RegSetValueExA

shell32

ShellExecuteW
ord92
ShellExecuteExW

ole32

CoUninitialize
CoInitializeEx

Sections

.text
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 363KB - Virtual size: 364KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

e01fed2479e6e3c696505c1007fe7920

Headers

File Characteristics

Imports

ntdll

shlwapi

setupapi

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 17KB - Virtual size: 17KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 1024B - Virtual size: 1KB

.bss Size: 2KB - Virtual size: 1KB

.rsrc Size: 363KB - Virtual size: 364KB

.text
Size: 17KB - Virtual size: 17KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 1024B - Virtual size: 1KB

.bss
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 363KB - Virtual size: 364KB