gozi | 9251090fce3ce31a5ca8fbe6d40257859cd262494936379c3192c360b3f6500c[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

9251090fce3ce31a5ca8fbe6d40257859cd262494936379c3192c360b3f6500c.zip
Size

134KB
MD5

f9e75ba71e409d86e7400e2dca68afaf
SHA1

56fc654aad7f987290175eb9da66f51ba3a64c76
SHA256

9251090fce3ce31a5ca8fbe6d40257859cd262494936379c3192c360b3f6500c
SHA512

357c6a25b77e3fd1131f2e50d677f18d9ae7307ed29bc769e517547c8bd9c6e4c4bae927fe84795485d474d17dc2a5ad73c10698cb1310902fa2232fc7358dc9
SSDEEP

3072:Fn9c/kmXAbJicpdM7VjdRfhMFJ9VRnGatGWCGc3aMUccxCo:o/6VJpSVjbpUG0GWCGgagiCo

Score

10^/10

isfb 1100 gozi

Malware Config

Extracted

Family

gozi

Botnet

1100

app.crasa.at/api1

g4xp7aanksu6qgci.onion/api1

hop.feen007.at/api1

l35sr5h5jl7xrh2q.onion/api1

gm.amaroker.at/api1

frls.amarob.xyz/api1

6buzj3jmnvrak4lh.onion/api1

cd1.novand.at/api1

ram.unici.at/api1

wrt.foreklo.at/api1

Attributes

build
250180
exe_type
worker
server_id
730

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/bf297503bf1a01bc698294d1d66c9e58512f557ff452996d2a06344de157b723.exe

Files

9251090fce3ce31a5ca8fbe6d40257859cd262494936379c3192c360b3f6500c.zip
.zip

Password: infected
bf297503bf1a01bc698294d1d66c9e58512f557ff452996d2a06344de157b723.exe
.dll windows:4 windows x64 arch:x64

ce83b6a6bda7ec04d7f1a2124cee2b13

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

NtSetInformationProcess
strcpy
ZwOpenProcess
ZwOpenProcessToken
ZwClose
ZwQueryInformationToken
ZwQueryInformationProcess
NtQuerySystemInformation
RtlNtStatusToDosError
RtlImageNtHeader
_wcsupr
memmove
mbstowcs
wcscpy
_snprintf
RtlUpcaseUnicodeString
RtlFreeUnicodeString
ZwQueryKey
wcstombs
memcpy
memset
_snwprintf
RtlAdjustPrivilege
_strupr
NtQueryInformationThread
sprintf
__C_specific_handler
__chkstk
VirtualProtectEx
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
FindFirstFileA
GetFileTime
FindNextFileA
CompareFileTime
ExpandEnvironmentStringsA
CreateThread
TerminateThread
GetCurrentProcessId
IsWow64Process
GetVersion
GetLocalTime
HeapAlloc
HeapFree
CreateDirectoryA
GetLastError
RemoveDirectoryA
CloseHandle
LoadLibraryA
CreateFileA
DeleteFileA
lstrcpyA
lstrlenA
WriteFile
lstrcatA
GetModuleHandleA
ExitThread
HeapDestroy
HeapCreate
SetEvent
HeapReAlloc
GetSystemTimeAsFileTime
WaitForSingleObject
LeaveCriticalSection
lstrlenW
InitializeCriticalSection
lstrcatW
SwitchToThread
SetWaitableTimer
OpenProcess
GetCurrentThreadId
DuplicateHandle
GetFileSize
GetTickCount
GetCurrentThread
Sleep
CopyFileW
CreateFileW
DeleteFileW
EnterCriticalSection
GetWindowsDirectoryA
GetTempPathA
CreateDirectoryW
CreateEventA
lstrcmpiW
SuspendThread
ResumeThread
lstrcpyW
ReleaseMutex
CreateWaitableTimerA
SetLastError
lstrcmpiA
lstrcmpA
WaitForMultipleObjects
MapViewOfFile
UnmapViewOfFile
ResetEvent
OpenWaitableTimerA
CreateMutexA
OpenMutexA
UnregisterWait
VirtualAlloc
VirtualProtect
TlsGetValue
RegisterWaitForSingleObject
TlsAlloc
LoadLibraryExW
TlsSetValue
TerminateProcess
OpenEventA
AddVectoredExceptionHandler
RemoveVectoredExceptionHandler
VirtualFree
GetComputerNameW
GetProcAddress
GetDriveTypeW
WideCharToMultiByte
GetLogicalDriveStringsW
OpenFileMappingA
GetExitCodeProcess
LocalFree
CreateProcessA
CreateFileMappingA
lstrcpynA
Thread32Next
Thread32First
CreateToolhelp32Snapshot
QueueUserAPC
OpenThread
CallNamedPipeA
CreateNamedPipeA
GetSystemTime
WaitNamedPipeA
ReadFile
ConnectNamedPipe
GetOverlappedResult
CancelIo
DisconnectNamedPipe
FlushFileBuffers
ExitProcess
SleepEx
LocalAlloc
FreeLibrary
RaiseException
QueryPerformanceFrequency
QueryPerformanceCounter
GetTempFileNameA
VirtualQuery
DeleteCriticalSection
RemoveDirectoryW
ExpandEnvironmentStringsW
SetEndOfFile
SetFilePointer
GetFileAttributesW
SetFilePointerEx
FindFirstFileW
FindNextFileW
FindClose
GetVersionExA

Sections

.text
Size: 198KB - Virtual size: 198KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

ce83b6a6bda7ec04d7f1a2124cee2b13

Headers

File Characteristics

Imports

Sections

.text Size: 198KB - Virtual size: 198KB

.rdata Size: 26KB - Virtual size: 25KB

.data Size: 6KB - Virtual size: 7KB

.pdata Size: 6KB - Virtual size: 6KB

.bss Size: 8KB - Virtual size: 7KB

.reloc Size: 2KB - Virtual size: 4KB

.text
Size: 198KB - Virtual size: 198KB

.rdata
Size: 26KB - Virtual size: 25KB

.data
Size: 6KB - Virtual size: 7KB

.pdata
Size: 6KB - Virtual size: 6KB

.bss
Size: 8KB - Virtual size: 7KB

.reloc
Size: 2KB - Virtual size: 4KB