A forum for reverse engineering, OS internals and malware analysis
shaheen wrote:I need a sample of Gozi trojan, preferably latest variant.
Thanks
GDI32.dll SHELL32.dll CreateProcessAsUserA CreateProcessAsUserW ADVAPI32.DLL CreateProcessA CreateProcessW KERNEL32.DLL CryptGetUserKey .pfx p a s s w o r d Exported %u certs to file %s
No certs found in "%S".
Certs thread started.
My AddressBook AuthRoot CertificateAuthority Disallowed Root TrustedPeople TrustedPublisher Certs ended with status %u
financepfrro.com.tw masmitnd.com.tw wednesltr.com.tw 208.115.205.41 95.143.198.47 s1 k1 k2 Version Data FILE /ping http://%s%s user_id=%.4u&version_id=%lu&socks=%lu&build=%lu&crc=%.8x Config from: %s
Config load status: %u
Config updated.
Config update failed.
cert /uda cook sys PR_Close PR_Write PR_Read NSPR4.DLL nspr4.dll %x
Content-Length: %u
Content-Type text/html javascript json Content-Length : chunked Transfer-Encoding ocsp Accept-Encoding: If-Modified-Since: If-None-Match: gz=1 * \ \ \ ? \ Local\ Makezip ended with status %u
%s%0.8X%0.8X.tmp File "%s" added to send list.
Add HANDLE To Send %0.8X
\*.* Host User-Agent HttpQueryInfoW HttpQueryInfoA InternetConnectW InternetConnectA LoadLibraryExW InternetQueryDataAvailable HttpSendRequestW HttpSendRequestA InternetReadFileExW InternetReadFileExA InternetReadFile WININET.DLL WININET.dll Software\Microsoft\Windows\CurrentVersion\Internet Settings User Agent gzip identity Accept-Encoding: identity
A c c e p t - E n c o d i n g : i d e n t i t y Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2500 http:// https:// i m a g e / g i f screen %.4u %user_id% %u %version_id% NEWGRAB grabs SCREENSHOT PROCESS HIDDEN http %%param_%s%% URL: %s
user=%s&pass=%s auth /ufs POST URL: %s
form GetNativeSystemInfo OS: Microsoft Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows Server 2003 R2, Windows Storage Server 2003 Windows Home Server Windows XP Professional x64 Edition Windows Server 2003, Windows XP Home Edition Professional Windows 2000 Datacenter Server Advanced Server Server (build: %d) 64-bit 32-bit Unknown
ARCH: x64 (AMD or Intel) Intel Itanium-based x86 32bit
USER: Admin User URL: %s
KEY: %s html %02u:%02u:%02u [PipesProcessCommand] SocksStart. Data: %s
[PipesProcessCommand] SocksStart. Data: NULL
[PipesProcessCommand] SocksStart Status = %u
[PipesProcessCommand] SocksStop. /fp %lu iexplore.exe firefox.exe chrome.exe opera.exe safari.exe explorer.exe ExitProcess --------------------------%04x%04x%04x Content-Type: multipart/form-data; boundary=%s Content-Disposition: form-data; name="upload_file"; filename="%s" Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" Content-Type: application/octet-stream --%s
%s %s & --%s = Content-Disposition: form-data; name="%s"
%s --%s-- FullURL "%s%s"
file ProcessQueue: Flag %u, Size %u
user_id=%.4u&version_id=%lu&%s=1 noname Sending %u bytes of file "%s" of type "%s" to URL: %s
Send file status: 0x%0.8X
Sending %u bytes of type "%s" to URL: %s
Send %s status: 0x%0.8X
ProcessQueue: Status %0.8X
GET Content-Type: application/x-www-form-urlencoded SOFTWARE\AppDataLow\ \Vars \\.\pipe\ \Microsoft\ S:(ML;;NW;;;LW) D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA) \\.\%s %lu.exe Software\Microsoft\Windows\CurrentVersion\Run \ \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ c o o k i e s . s q l i t e c o o k i e s . s q l i t e - j o u r n a l \ M a c r o m e d i a \ F l a s h P l a y e r \ * . s o l * . t x t \ s o l s \ c o o k i e . i e \ c o o k i e . f f Cookies thread started.
Cookies ended with status %u
Received %s
EXE DL_EXE DL_EXE_ST CLEAR_COOK VER REBOOT KILL GET_CERTS GET_COOKIES SOCKS_START SOCKS_STOP GET_LOG log /ucommd ZwWow64ReadVirtualMemory64 ntdll.dll .dll IsWow64Process ZwWow64QueryInformationProcess64 LoadLibraryA Wow64ApcRoutine wow64 FreeLibrary open kernelbase ntdll kernel32 {%08x-%04x-%04x-%04x-%08x%04x}
dumb110 wrote:https://www.virustotal.com/file/2a8d08b ... /analysis/
sample please :lol:
