gozi | e233642b9cb70dfe4e1fef85988b937e7461dbd41eafbd59694f65e5ddef28f4[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

e233642b9cb70dfe4e1fef85988b937e7461dbd41eafbd59694f65e5ddef28f4.exe
Size

264KB
MD5

d883ae7403f3adee8c0831c3aac4c208
SHA1

07658014aefe68ef5f1bc9c19552b371d7aabd70
SHA256

e233642b9cb70dfe4e1fef85988b937e7461dbd41eafbd59694f65e5ddef28f4
SHA512

929c8bc0a282af167cc0ae1a4695f3367ff899f0ee066ebfd7d95fcdd58bcc734d7c55495f87930df3b2c715ce765f0cc777d59c536e318a34e4c10219b3b52e
SSDEEP

6144:PNdMYdCojCslz3q43XjsEV+FAmpRYtxslEXcMiECHlkTE:VdpdCeqsj90ppy0qXrZgaE

Score

10^/10

isfb 4099 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

4099

Attributes

exe_type
worker

rsa_pubkey.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
e233642b9cb70dfe4e1fef85988b937e7461dbd41eafbd59694f65e5ddef28f4.exe

Files

e233642b9cb70dfe4e1fef85988b937e7461dbd41eafbd59694f65e5ddef28f4.exe
.exe windows:4 windows x86 arch:x86

7c239b12229195f29dde016e51036cf2

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

ZwOpenProcessToken
ZwQueryInformationToken
NtUnmapViewOfSection
ZwCreateFile
ZwQueryInformationProcess
_allmul
ZwOpenFile
ZwWriteFile
ZwReadFile
ZwClose
RtlInitUnicodeString
memcpy
memset
RtlUnwind
NtGetContextThread
NtSetContextThread
ZwDeviceIoControlFile
RtlNtStatusToDosError
NtCreateSection
NtMapViewOfSection
ZwOpenProcess
_strupr
RtlAdjustPrivilege
RtlRandom
NtQueryVirtualMemory

shlwapi

StrToIntA
StrChrA
StrStrIA
StrRChrA

kernel32

SetEvent
OpenEventA
SleepEx
FindFirstFileA
CreateEventA
GetLastError
GetModuleFileNameA
lstrcmpiA
FindNextFileA
CopyFileA
GetModuleHandleA
GetTickCount
lstrlenA
CreateProcessA
MoveFileExA
FindClose
GetWindowsDirectoryA
TerminateProcess
ResetEvent
GetSystemDirectoryA
GetCommandLineA
Sleep
ExitProcess
GetTempPathA
lstrcatA
LocalAlloc
LocalFree
OpenProcess
DeleteFileA
GetProcAddress
GetVolumeInformationA
GetCurrentProcess
GetVersion
CreateMutexA
VirtualFree
VirtualAlloc
GetFileSize
WaitForSingleObject
lstrcpyA
VirtualProtectEx
SwitchToThread
GetThreadContext
CloseHandle
lstrcpynA
GetCurrentProcessId
WriteFile
CreateFileA
SetEndOfFile
lstrcmpA
VirtualAllocEx
ResumeThread
SuspendThread
WriteProcessMemory
ReadFile
SetFilePointer
ReadProcessMemory

user32

wsprintfA
GetWindowThreadProcessId
ExitWindowsEx
wsprintfW
GetShellWindow

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorA
OpenProcessToken
GetTokenInformation
RegCreateKeyA
RegQueryValueExA
RegCloseKey
RegSetValueExA
RegOpenKeyExA
RegOpenKeyA

shell32

ShellExecuteExA
ShellExecuteA

ole32

CoInitializeEx

psapi

GetModuleFileNameExA
EnumProcessModules

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 232KB - Virtual size: 232KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

7c239b12229195f29dde016e51036cf2

Headers

File Characteristics

Imports

ntdll

shlwapi

kernel32

user32

advapi32

shell32

ole32

psapi

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 1KB - Virtual size: 1KB

.bss Size: 3KB - Virtual size: 3KB

.rsrc Size: 232KB - Virtual size: 232KB

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 1KB - Virtual size: 1KB

.bss
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 232KB - Virtual size: 232KB