Behavioral task
behavioral1
Sample
5592f7cd87be75bbe942ebe124ab5e3b9c3e79c3ba6e2c1a5d3806507b9a365e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5592f7cd87be75bbe942ebe124ab5e3b9c3e79c3ba6e2c1a5d3806507b9a365e.exe
Resource
win10v2004-20240611-en
General
-
Target
5592f7cd87be75bbe942ebe124ab5e3b9c3e79c3ba6e2c1a5d3806507b9a365e
-
Size
344KB
-
MD5
b49d5aa9929e401eac02d9c10ec17b17
-
SHA1
ee0d9a91f52de9b74b8de36e25c2de91d008cee5
-
SHA256
5592f7cd87be75bbe942ebe124ab5e3b9c3e79c3ba6e2c1a5d3806507b9a365e
-
SHA512
7ee8260cf4ebd4875f0718652e80fae4b64c57f84cb60736998a6d59bf0131e862b00362ce9b7efbcd4732ce8d749176c8a74e816511b7b86a39c07b0d7293f0
-
SSDEEP
6144:1ULalLLjn9myvyirAmyl+XO5gGVE2c378vVjk6KdfNj7cW1pAIB:HlLX9myvya3HEzKL82dfiWpAIB
Malware Config
Extracted
gozi
Extracted
gozi
1000
bonkacho.com
ihakispamhous.ru
gazuralnews.ru
gazitivaton.ru
-
build
204439
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 5592f7cd87be75bbe942ebe124ab5e3b9c3e79c3ba6e2c1a5d3806507b9a365e
Files
-
5592f7cd87be75bbe942ebe124ab5e3b9c3e79c3ba6e2c1a5d3806507b9a365e.exe windows:5 windows x86 arch:x86
8cbd82dd0fccd173ff0dd2572840ba0a
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
NtQuerySystemInformation
mbstowcs
ZwQueryInformationProcess
ZwClose
RtlNtStatusToDosError
memset
NtUnmapViewOfSection
memcpy
RtlUnwind
ZwOpenProcessToken
ZwOpenProcess
NtCreateSection
ZwQueryInformationToken
RtlFreeUnicodeString
NtMapViewOfSection
RtlUpcaseUnicodeString
NtQueryVirtualMemory
shlwapi
StrRChrA
StrChrA
PathCombineW
StrChrW
StrTrimW
PathFindExtensionA
PathFindExtensionW
kernel32
SetEvent
GetTickCount
WriteFile
Sleep
CreateEventA
CreateProcessA
CreateFileW
lstrcatA
lstrlenW
FlushFileBuffers
FindFirstFileA
GetLastError
GetProcAddress
FindClose
ResetEvent
FindNextFileA
lstrcmpiW
lstrcatW
GetFileTime
CloseHandle
DeleteFileW
CreateWaitableTimerA
lstrcpyW
SetFileAttributesW
lstrcpyA
GetTempPathA
GetTempFileNameA
CreateDirectoryW
HeapFree
CompareFileTime
SetWaitableTimer
HeapAlloc
SetEndOfFile
CreateFileA
GetModuleHandleA
HeapCreate
HeapDestroy
GetCommandLineW
ExitProcess
GetSystemTimeAsFileTime
CreateDirectoryA
ReadFile
ExpandEnvironmentStringsW
WaitForSingleObject
lstrcmpA
LocalFree
lstrcpynA
GetModuleFileNameA
VirtualAlloc
lstrcmpiA
GetModuleFileNameW
lstrlenA
VirtualFree
ExpandEnvironmentStringsA
SetFilePointer
GetFileSize
GetCurrentProcessId
GetVersion
GetLongPathNameW
ResumeThread
SuspendThread
CreateRemoteThread
OpenProcess
VirtualProtectEx
user32
GetCursorInfo
wsprintfW
wsprintfA
FindWindowA
advapi32
RegDeleteValueW
RegEnumKeyExA
RegOpenKeyW
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegSetValueExW
RegCloseKey
RegOpenKeyA
RegOpenKeyExA
RegCreateKeyA
RegQueryValueExW
RegQueryValueExA
RegSetValueExA
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
OpenProcessToken
shell32
ShellExecuteW
ord92
ShellExecuteExW
ole32
CoUninitialize
CoInitializeEx
Sections
.text Size: 16KB - Virtual size: 16KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 319KB - Virtual size: 320KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ