Malware Analysis Report

2025-03-15 07:45

Sample ID 240202-eea5lafdhr
Target 8879fdbfc9bc619b562119dcd86523d7
SHA256 88a4c2abc81f7556f21736b7c96ce8001985774d804d699fc20f1231052b52d1
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88a4c2abc81f7556f21736b7c96ce8001985774d804d699fc20f1231052b52d1

Threat Level: Known bad

The file 8879fdbfc9bc619b562119dcd86523d7 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

Loads dropped DLL

UPX packed file

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-02 03:50

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 03:50

Reported

2024-02-02 03:53

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

"C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe"

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/1716-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1716-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1716-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

MD5 a3437bcbdc3efb50e06ae7ca3a772ae4
SHA1 8d2c2c972551e053bb63dd0819282adf132bccef
SHA256 d01c4f0575ec688448bb24cebaeca0b7f106937903bac66b94f65d1977d35d7b
SHA512 9fdd860e769362a37b0c944b114bf58a8ab591a2d793bd994b8e0b566d1960cb16cb7f1c276c090c8247e665187a7acaac61001a4257f9769d8b70c84da2149c

memory/1716-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2392-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2392-18-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2392-15-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

MD5 86207e95ccf018b55571819afa70c9b0
SHA1 9b067dc7e6ba39861c8542ef5e5a4d331ff9f4aa
SHA256 996b267978bafaecdc44cdff94abff4f2c93c976bd58cc4248b6dede71880754
SHA512 5012ba8e0a068241b627c9a7b56c1f35f63e9e55b916173ff95ea9d8197765a0dafe15b12035210112dbc0a90b65309167266abbf6769e8e30f25f780692be37

memory/2392-23-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2392-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2392-30-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 03:50

Reported

2024-02-02 03:53

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

"C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe"

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/4640-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4640-1-0x0000000001CE0000-0x0000000001E13000-memory.dmp

memory/4640-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8879fdbfc9bc619b562119dcd86523d7.exe

MD5 4d64ef6bf1ff1e8b1ecdc67d006dbc6e
SHA1 1a4ccb9d4f24b51741fae2cd8dce8ae59d230366
SHA256 4bafe90af24cd1abf67cf26fe719e4ba20345f5c5205e7b27b51ef484514907f
SHA512 7af0020c0f23737daff90f6d912ae8cc097067025d1a3720eda6309c49f4b05d5eabe1d304b2f5f7079518091f7f798eda80fd3c53c852e5e08f5a2b0218412e

memory/4640-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/228-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/228-13-0x0000000001CF0000-0x0000000001E23000-memory.dmp

memory/228-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/228-20-0x00000000055F0000-0x000000000581A000-memory.dmp

memory/228-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/228-28-0x0000000000400000-0x00000000008EF000-memory.dmp