Malware Analysis Report

2025-03-15 07:46

Sample ID 240202-hxpmgsaefm
Target 88e08d2ea65b67e0887fbc3cd528a675
SHA256 c48966c086bd96f08086b25818b02275aec8c65623526ea4b0aabf79b527f8e7
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c48966c086bd96f08086b25818b02275aec8c65623526ea4b0aabf79b527f8e7

Threat Level: Known bad

The file 88e08d2ea65b67e0887fbc3cd528a675 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-02 07:07

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 07:07

Reported

2024-02-02 07:09

Platform

win7-20231215-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

"C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe"

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1932-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1932-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1932-3-0x0000000000130000-0x0000000000263000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

MD5 954b70ae1625fcbe983967fa02af301f
SHA1 f6d00d9c38aeac9cfcac04df68e5050f11b0e3fc
SHA256 5f55ee50b6b354789428fa21904010f03f413f3512481399287b9405edf527d8
SHA512 4b031eeaf5896af95e5b5c7c9f5489c144ef9f5b4a2da7a71b69716729416408647c3bf9a88ee3b1d378e890a5e6a4825aba051aac0d7ef3ca8c8122335d59ea

memory/1932-15-0x0000000003AB0000-0x0000000003F9F000-memory.dmp

memory/1932-13-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

MD5 4499be1deec0e3ffe73b2cb494ac1acd
SHA1 2a4a199165c25aa0a5a65649c1df655f30cda99e
SHA256 9e99954e26e0f75f3ed6c8d391ef1751d24ca4a2c3070ff03fd0011741b9e0ce
SHA512 909aa8bf6c07bd3c6ade2ac11eaf16ba921a2df8bd8e5805efdfa8a05707204db4e26c966ab9b5e50fb39d2e8fa5122e17aa4aa66b23ec11d916e8b4c06d4a2d

memory/2376-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2376-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2376-18-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2376-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2376-24-0x00000000035A0000-0x00000000037CA000-memory.dmp

memory/1932-31-0x0000000003AB0000-0x0000000003F9F000-memory.dmp

memory/2376-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 07:07

Reported

2024-02-02 07:09

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

"C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe"

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/1628-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1628-1-0x0000000001C60000-0x0000000001D93000-memory.dmp

memory/1628-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe

MD5 6682ce0e3ab05270116ac84273b34d4e
SHA1 f3a5609cd343a8a9fd66d50aa83eebef5d38d6bb
SHA256 c74943f4431181123f1ca0c30c7a4ec56d14de9c0a1b569594b412d55377fedf
SHA512 9c255e5e48aa3b91f291fa71cd9b8b594ee4737265823485047d28d9fb960dff8921885c209122be59d806fbb2f5bb90f6de8f0696c45a745ed1bb7e0560ecc9

memory/1628-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3372-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3372-14-0x0000000001D10000-0x0000000001E43000-memory.dmp

memory/3372-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3372-20-0x0000000005610000-0x000000000583A000-memory.dmp

memory/3372-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3372-28-0x0000000000400000-0x00000000008EF000-memory.dmp