gozi | installer[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

installer.exe
Size

195KB
MD5

9dd7f4587140ec81cc261c6d05bac60b
SHA1

6e999875685482810bb236383033195d329b923c
SHA256

5ecf8bf6a98fe1380171b15bafdd0523f2b85d27e7bc4cb73e36a6717a15b93f
SHA512

077224198ea5ac2d9b64a8fca1eb9141be35cee5ed4a625445024dc0939e797450ae7a94d9cb1ae392c7c24dfb8eb6dcd3a0cf2fdcd456640c71467538bb7ee1
SSDEEP

6144:KbemuOXxbzS5llg9JCWWRipfrA4is0rA:KjxxvSl6Fai9rA4iJ

Score

10^/10

isfb 1000 gozi

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

repeseparation.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi family
gozi
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

installer.exe

resource
installer.exe

Files

installer.exe
.exe windows:4 windows x86 arch:x86

0491aaa454ef721ff8f93ea179f9b75c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

memset
wcstombs
NtCreateSection
ZwClose
ZwOpenProcessToken
ZwQueryInformationToken
NtMapViewOfSection
RtlUnwind
memcpy
RtlNtStatusToDosError
ZwQueryInformationProcess
NtUnmapViewOfSection
_strupr
mbstowcs
NtGetContextThread
NtSetContextThread
ZwOpenProcess
RtlRandom
NtQueryVirtualMemory

shlwapi

PathFindExtensionA
PathCombineA
StrStrIA
StrRChrA
StrStrA
StrChrA

setupapi

SetupDiGetDeviceRegistryPropertyA
SetupDiEnumDeviceInfo
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsA

kernel32

FindFirstFileA
FindNextFileA
lstrcmpiA
CopyFileA
GetTickCount
HeapAlloc
GetModuleHandleA
CreateToolhelp32Snapshot
SetWaitableTimer
GetFileTime
CreateProcessA
FindClose
GetWindowsDirectoryA
CreateEventA
ResetEvent
GetCurrentProcess
GetSystemDirectoryA
Process32Next
CompareFileTime
HeapFree
CreateWaitableTimerA
GetTempPathA
OpenProcess
lstrcatA
Process32First
DeleteFileA
lstrlenA
OpenEventA
Sleep
SetEvent
WaitForSingleObject
TerminateProcess
HeapCreate
HeapDestroy
GetCommandLineA
ExitProcess
GetLastError
SetFileAttributesW
DeleteFileW
CloseHandle
CreateFileA
ReadFile
lstrcpyA
GetThreadContext
VirtualProtectEx
ResumeThread
SuspendThread
lstrcmpA
lstrcpynA
WriteFile
GetTempFileNameA
SetEndOfFile
ExpandEnvironmentStringsW
CreateFileW
GetFileSize
lstrcmpW
LocalFree
GetVersion
lstrlenW
GetModuleFileNameW
GetModuleFileNameA
ReadProcessMemory
SetFilePointer
VirtualAllocEx
CreateRemoteThread
VirtualFree
VirtualAlloc
GetProcAddress
GetCurrentProcessId
WriteProcessMemory

user32

GetCursorPos
GetShellWindow
SystemParametersInfoW
wsprintfA
GetWindowThreadProcessId
GetWindowRect
GetWindowDC

advapi32

RegEnumKeyExA
LookupPrivilegeValueA
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorA
FreeSid
SetSecurityInfo
AllocateAndInitializeSid
SetEntriesInAclA
OpenProcessToken
RegQueryValueExA
RegOpenKeyA
RegCreateKeyA
GetTokenInformation
GetSidSubAuthority
SetNamedSecurityInfoA
RegCloseKey
GetSecurityInfo
RegSetValueExA
RegOpenKeyExA
GetSidSubAuthorityCount

shell32

ShellExecuteA
ord92
ShellExecuteExA

ole32

CoInitializeEx
CoUninitialize

gdiplus

GdipSaveImageToFile
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipDisposeImage
GdiplusStartup
GdipGetImageEncodersSize

gdi32

SelectObject
BitBlt
DeleteObject
DeleteDC
CreateCompatibleBitmap
CreateCompatibleDC

Sections

.text
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 169KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

0491aaa454ef721ff8f93ea179f9b75c

Headers

File Characteristics

Imports

ntdll

shlwapi

setupapi

kernel32

user32

advapi32

shell32

ole32

gdiplus

gdi32

Sections

.text Size: 18KB - Virtual size: 17KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1KB - Virtual size: 1KB

.bss Size: 1KB - Virtual size: 1KB

.rsrc Size: 169KB - Virtual size: 172KB

.text
Size: 18KB - Virtual size: 17KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1KB - Virtual size: 1KB

.bss
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 169KB - Virtual size: 172KB