gozi | ba4d979d9f66cfd9cfa188b565b25d17cd2608ee19f114c75815a2cb017e8116N[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

ba4d979d9f66cfd9cfa188b565b25d17cd2608ee19f114c75815a2cb017e8116N.exe
Size

57KB
MD5

4c13d04e36512423c85cacc4e851d330
SHA1

19fc3b21b60dd36ff1114780e9e78e1ce6b496f8
SHA256

ba4d979d9f66cfd9cfa188b565b25d17cd2608ee19f114c75815a2cb017e8116
SHA512

90849661e9aa45c575b2ca13e0bbcc7e1f4bba7e87589ee247a855d6d70b56734b8e649f18b7e66b5e3034c261a019ac5826b4f969ae39da70db01bd8e3b1ae8
SSDEEP

768:oGysYcthPbMLsPwFuY2RrQI6jRdB53st+1GJ0V0ezPQdDVJb0OTrd4fJDVLOPEBq:oyFML+2YIf5YdDn/qGU1jDi3p

Score

10^/10

ldr4 1000 gozi

Malware Config

Extracted

Family

gozi

Botnet

1000

https://budalixt.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ba4d979d9f66cfd9cfa188b565b25d17cd2608ee19f114c75815a2cb017e8116N.exe

Files

ba4d979d9f66cfd9cfa188b565b25d17cd2608ee19f114c75815a2cb017e8116N.exe
.dll regsvr32 windows:5 windows x64 arch:x64

5992cfcd0ff330f5b6a5884722853bb3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

ntdll

mbstowcs
wcstombs
strchr
sprintf
memcmp
RtlInitUnicodeString
RtlNtStatusToDosError
RtlOemStringToUnicodeString
_snprintf
memcpy
memset
__C_specific_handler

kernel32

HeapDestroy
HeapCreate
SleepEx
RaiseException
LocalAlloc
GetTempPathW
CreateFileW
GetFileSize
GetTempFileNameW
lstrlenA
CreateProcessW
HeapFree
SetEvent
GetSystemTimeAsFileTime
InitializeCriticalSection
Sleep
WaitForSingleObject
GetExitCodeProcess
TerminateProcess
lstrlenW
GetLastError
EnterCriticalSection
WaitForMultipleObjects
lstrcmpiW
GetModuleHandleA
GetCurrentThreadId
CloseHandle
DeleteFileW
GetSystemTime
lstrcpyA
lstrcatA
PeekNamedPipe
WriteFile
CreateEventA
ReadFile
ResetEvent
CreatePipe
ResumeThread
lstrcpynA
CreateMutexA
DeleteCriticalSection
ReleaseMutex
SwitchToThread
HeapAlloc
LeaveCriticalSection
LoadLibraryA
GetProcAddress
SetLastError
WideCharToMultiByte
FreeLibrary

shlwapi

StrChrW
UrlEscapeA
wnsprintfW

advapi32

RegCloseKey
RegOpenKeyW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumKeyW

Exports

Exports

DllRegisterServer

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

5992cfcd0ff330f5b6a5884722853bb3

Headers

File Characteristics

Imports

ntdll

kernel32

shlwapi

advapi32

Exports

Exports

Sections

.text Size: 38KB - Virtual size: 38KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1KB - Virtual size: 1KB

.bss Size: 9KB - Virtual size: 9KB

.reloc Size: 512B - Virtual size: 24B

.text
Size: 38KB - Virtual size: 38KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1KB - Virtual size: 1KB

.bss
Size: 9KB - Virtual size: 9KB

.reloc
Size: 512B - Virtual size: 24B