Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Behavioral task
behavioral1
Sample
413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9.dll
Resource
win10v2004-20241007-en
General
-
Target
798d5713512b5cb6228138ceea7c8066.bin
-
Size
28KB
-
MD5
1731c186e5f896842151029ae8c21b5b
-
SHA1
866e50bf31d4cfd61ee542251ccde50f613f5a66
-
SHA256
eb5dcbde491776a5abe1340f2653684ab8a0e7b0f0c68a3a7787d2e97dff329a
-
SHA512
c92101d1d16b834d0f148561e4f93e579c280035053b7f0724499c4c423328f7fcf241a7d175a90f9182c0acd24ffcaff0b2cdfd35076f38935df48b1303d5d5
-
SSDEEP
768:tiJBLWqtmjOUTAUZkZBDMUPWDcigyAltTWKd837f1dl:tjdTLZbUPWDcBRlJWR37h
Malware Config
Extracted
gozi
3000
config.edge.skype.com
185.189.151.28
185.189.151.70
-
base_path
/drew/
-
build
250229
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Signatures
-
Gozi family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9.dll
Files
-
798d5713512b5cb6228138ceea7c8066.bin.zip
Password: infected
-
413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9.dll.dll windows:5 windows x86 arch:x86
0d41e840891676bdaee3e54973cf5a69
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
ntdll
ZwQueryInformationToken
ZwOpenProcess
ZwClose
ZwOpenProcessToken
_snwprintf
memcpy
strcpy
sprintf
mbstowcs
_snprintf
wcstombs
memset
_aulldiv
_allmul
_aullrem
RtlUnwind
NtQueryVirtualMemory
kernel32
RaiseException
LocalAlloc
HeapAlloc
InterlockedIncrement
InterlockedDecrement
HeapFree
SetEvent
GetTickCount
GetSystemTimeAsFileTime
Sleep
HeapDestroy
HeapCreate
SwitchToThread
lstrlenA
SetWaitableTimer
Process32First
WaitForSingleObject
SleepEx
CreateEventA
lstrlenW
GetLastError
GetProcAddress
Process32Next
WaitForMultipleObjects
GetModuleHandleA
CreateToolhelp32Snapshot
CloseHandle
CreateWaitableTimerA
lstrcpyA
ResetEvent
lstrcmpW
LoadLibraryA
FreeLibrary
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
lstrcmpA
CreateFileMappingW
MapViewOfFile
InterlockedExchange
ExpandEnvironmentStringsW
ExpandEnvironmentStringsA
QueryPerformanceFrequency
OpenProcess
GetVersion
GetCurrentProcessId
lstrcatA
QueryPerformanceCounter
GetComputerNameW
WideCharToMultiByte
GetComputerNameExA
oleaut32
SysAllocString
SafeArrayDestroy
SafeArrayCreate
SysFreeString
Sections
.text Size: 30KB - Virtual size: 29KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 1000B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ