Behavioral task
behavioral1
Sample
453286093b6b2d791b2505384bda59ccadebc3078ad66f13bf4a0262011aa954.exe
Resource
win7-20240704-en
General
-
Target
453286093b6b2d791b2505384bda59ccadebc3078ad66f13bf4a0262011aa954
-
Size
264KB
-
MD5
91c06e88093392d30178b9230a8603ce
-
SHA1
bb6327f2c87d7c2d0c993c5ef548cb8313b792fc
-
SHA256
453286093b6b2d791b2505384bda59ccadebc3078ad66f13bf4a0262011aa954
-
SHA512
2924bf36ab70100de08ddea0915ac1943188d31534319df06b85a1ad4e0fb00c8d508ebf50f70c1934ee48dbdc66e61b10b0ad319af733888aacaa775738188e
-
SSDEEP
6144:PNdMYdCojCslz3q43XjsEV+FAmpRYtxslEXcMiECHlkTE:VdpdCeqsj90ppy0qXrZgaE
Malware Config
Extracted
gozi
Extracted
gozi
4099
-
exe_type
worker
Signatures
-
Gozi family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 453286093b6b2d791b2505384bda59ccadebc3078ad66f13bf4a0262011aa954
Files
-
453286093b6b2d791b2505384bda59ccadebc3078ad66f13bf4a0262011aa954.exe windows:4 windows x86 arch:x86
7c239b12229195f29dde016e51036cf2
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
ZwOpenProcessToken
ZwQueryInformationToken
NtUnmapViewOfSection
ZwCreateFile
ZwQueryInformationProcess
_allmul
ZwOpenFile
ZwWriteFile
ZwReadFile
ZwClose
RtlInitUnicodeString
memcpy
memset
RtlUnwind
NtGetContextThread
NtSetContextThread
ZwDeviceIoControlFile
RtlNtStatusToDosError
NtCreateSection
NtMapViewOfSection
ZwOpenProcess
_strupr
RtlAdjustPrivilege
RtlRandom
NtQueryVirtualMemory
shlwapi
StrToIntA
StrChrA
StrStrIA
StrRChrA
kernel32
SetEvent
OpenEventA
SleepEx
FindFirstFileA
CreateEventA
GetLastError
GetModuleFileNameA
lstrcmpiA
FindNextFileA
CopyFileA
GetModuleHandleA
GetTickCount
lstrlenA
CreateProcessA
MoveFileExA
FindClose
GetWindowsDirectoryA
TerminateProcess
ResetEvent
GetSystemDirectoryA
GetCommandLineA
Sleep
ExitProcess
GetTempPathA
lstrcatA
LocalAlloc
LocalFree
OpenProcess
DeleteFileA
GetProcAddress
GetVolumeInformationA
GetCurrentProcess
GetVersion
CreateMutexA
VirtualFree
VirtualAlloc
GetFileSize
WaitForSingleObject
lstrcpyA
VirtualProtectEx
SwitchToThread
GetThreadContext
CloseHandle
lstrcpynA
GetCurrentProcessId
WriteFile
CreateFileA
SetEndOfFile
lstrcmpA
VirtualAllocEx
ResumeThread
SuspendThread
WriteProcessMemory
ReadFile
SetFilePointer
ReadProcessMemory
user32
wsprintfA
GetWindowThreadProcessId
ExitWindowsEx
wsprintfW
GetShellWindow
advapi32
ConvertStringSecurityDescriptorToSecurityDescriptorA
OpenProcessToken
GetTokenInformation
RegCreateKeyA
RegQueryValueExA
RegCloseKey
RegSetValueExA
RegOpenKeyExA
RegOpenKeyA
shell32
ShellExecuteExA
ShellExecuteA
ole32
CoInitializeEx
psapi
GetModuleFileNameExA
EnumProcessModules
Sections
.text Size: 23KB - Virtual size: 22KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 232KB - Virtual size: 232KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ