gozi | 798d5713512b5cb6228138ceea7c8066[.]bin

General

Target

798d5713512b5cb6228138ceea7c8066.bin
Size

28KB
MD5

1731c186e5f896842151029ae8c21b5b
SHA1

866e50bf31d4cfd61ee542251ccde50f613f5a66
SHA256

eb5dcbde491776a5abe1340f2653684ab8a0e7b0f0c68a3a7787d2e97dff329a
SHA512

c92101d1d16b834d0f148561e4f93e579c280035053b7f0724499c4c423328f7fcf241a7d175a90f9182c0acd24ffcaff0b2cdfd35076f38935df48b1303d5d5
SSDEEP

768:tiJBLWqtmjOUTAUZkZBDMUPWDcigyAltTWKd837f1dl:tjdTLZbUPWDcBRlJWR37h

Score

10^/10

isfb 3000 gozi

Malware Config

Extracted

Family

gozi

Botnet

3000

C2

config.edge.skype.com

185.189.151.28

185.189.151.70

Attributes

base_path
/drew/
build
250229
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9.dll

Files

798d5713512b5cb6228138ceea7c8066.bin
.zip

Password: infected
413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9.dll
.dll windows:5 windows x86 arch:x86

0d41e840891676bdaee3e54973cf5a69

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

ZwQueryInformationToken
ZwOpenProcess
ZwClose
ZwOpenProcessToken
_snwprintf
memcpy
strcpy
sprintf
mbstowcs
_snprintf
wcstombs
memset
_aulldiv
_allmul
_aullrem
RtlUnwind
NtQueryVirtualMemory

kernel32

RaiseException
LocalAlloc
HeapAlloc
InterlockedIncrement
InterlockedDecrement
HeapFree
SetEvent
GetTickCount
GetSystemTimeAsFileTime
Sleep
HeapDestroy
HeapCreate
SwitchToThread
lstrlenA
SetWaitableTimer
Process32First
WaitForSingleObject
SleepEx
CreateEventA
lstrlenW
GetLastError
GetProcAddress
Process32Next
WaitForMultipleObjects
GetModuleHandleA
CreateToolhelp32Snapshot
CloseHandle
CreateWaitableTimerA
lstrcpyA
ResetEvent
lstrcmpW
LoadLibraryA
FreeLibrary
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
lstrcmpA
CreateFileMappingW
MapViewOfFile
InterlockedExchange
ExpandEnvironmentStringsW
ExpandEnvironmentStringsA
QueryPerformanceFrequency
OpenProcess
GetVersion
GetCurrentProcessId
lstrcatA
QueryPerformanceCounter
GetComputerNameW
WideCharToMultiByte
GetComputerNameExA

oleaut32

SysAllocString
SafeArrayDestroy
SafeArrayCreate
SysFreeString

Sections

.text
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

0d41e840891676bdaee3e54973cf5a69

Headers

File Characteristics

Imports

ntdll

kernel32

oleaut32

Sections

.text Size: 30KB - Virtual size: 29KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 1000B

.bss Size: 4KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 30KB - Virtual size: 29KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 1000B

.bss
Size: 4KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 4KB