Edit tour

Windows Analysis Report
gozi_loader.bin.exe

Overview

General Information

Sample Name:	gozi_loader.bin.exe
Analysis ID:	829723
MD5:	700d3ea5098e7b7f45fceec4df9df798
SHA1:	8796dfe929e1f9d507a4c7da048fb80eeaed94eb
SHA256:	061c271c0617e56aeb196c834fcab2d24755afa50cd95cc6a299d76be496a858
Tags:	7709exegozi
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Yara detected Ursnif

Found evasive API chain (may stop execution after checking system information)

Writes or reads registry keys via WMI

Writes registry values via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Contains functionality to call native functions

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Contains functionality to dynamically determine API calls

Classification

Process Tree

System is w10x64

gozi_loader.bin.exe (PID: 5828 cmdline: C:\Users\user\Desktop\gozi_loader.bin.exe MD5: 700D3EA5098E7B7F45FCEEC4DF9DF798)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "X0CjtxCEKhyWPVzp/ypnuYDLNIOhkqPDio0ZyqaAtAnkFEsoQnBwh+tF9ICcDX0ifMDWcBjhwZoirN+aTqJXJlbhk0Ve6q6ZbFlkkvZMgxosr3pMdiauYeQ90ivavpHebCxhRZxAtsp2ORNHCEiYgF72+cVEjuJDfG0Ix9Z30gBFauUEbEbx4aeIvTonSjXG3aF3/+WexILzZBT8G6LohnVlt8mcAM//OC6cXwk1gyscR6PxkpD1IRbzi9V6b1oxKje1De4hIMx1QizHvXbcQQK+/sLO0kr23FfUgVRhjnHWAGKHyANFU1dIviwuls3MsDx7dUZbdioQXIUlQY7nSWTk+HvbCX58ke9Hwzn2SHs=", "c2_domain": ["checklist.skype.com", "62.173.141.252", "31.41.44.33", "109.248.11.112"], "botnet": "7709", "server": "50", "serpent_key": "pThBpljTg5GSXpa1", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.389853004.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389853004.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389853004.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389784429.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389784429.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389784429.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.512474249.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.512474249.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.512474249.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389835658.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389835658.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389835658.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389702984.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389702984.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389702984.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389820029.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389820029.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389820029.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389734905.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389734905.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389734905.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389803220.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389803220.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389803220.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389762139.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.389762139.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.389762139.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c80:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: gozi_loader.bin.exe PID: 5828	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: gozi_loader.bin.exe PID: 5828	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xa4f:$a5: filename="%.4u.%lu" 0xc05:$a5: filename="%.4u.%lu" 0xb09b:$a5: filename="%.4u.%lu" 0xb251:$a5: filename="%.4u.%lu" 0x602:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xac4e:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x776:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xb4f:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xd07:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x300a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x30eb:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3296:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xadc2:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xb19b:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xb353:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xdf12:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xdff3:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe257:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf67:$a9: &whoami=%s 0xb5b3:$a9: &whoami=%s 0xf50:$a10: %u.%u_%u_%u_x%u
Process Memory Space: gozi_loader.bin.exe PID: 5828	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xaf6:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xcae:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xb142:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xb2fa:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x602:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x65f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xac4e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xacab:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa1b:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xbd1:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xb067:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xb21d:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe01:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x10da:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xb44d:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xb726:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xea3:$a9: Software\AppDataLow\Software\Microsoft\ 0x1177:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c9f:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cec:$a9: Software\AppDataLow\Software\Microsoft\ 0xb4ef:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 25 entries

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
gozi_loader.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gozi_loader.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Windows Analysis Report
gozi_loader.bin.exe