Malware Analysis Report

2025-03-15 07:46

Sample ID 240202-rzedzaafam
Target 89c497d0127c669b86a52a5c6833b25c
SHA256 fd58415e0d71d7cb35d07cd6739d51f6cb486c11c37067dd2fe549fb2e9f0df8
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd58415e0d71d7cb35d07cd6739d51f6cb486c11c37067dd2fe549fb2e9f0df8

Threat Level: Known bad

The file 89c497d0127c669b86a52a5c6833b25c was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-02 14:37

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 14:37

Reported

2024-02-02 14:40

Platform

win7-20231215-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

"C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2052-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2052-2-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/2052-1-0x0000000000400000-0x0000000000622000-memory.dmp

\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

MD5 488b8766a85a22fa7d68db17463eec51
SHA1 40674b9856c6dcf29f1a0b95818e018d816e8b50
SHA256 d74b6c1fc8b1f44f4afca9fcbe99f9999b993a610c036b1c8b0cdb67ced095c2
SHA512 ec3e28373b3018e32c3e520f2e9c4d6ef0ac9dbbace78e342d9d5ef397a66b008dbb84f57d8c9a9cfc9a9365fd383c1579d322be70c88258dfcd93b64d8ebd95

memory/2052-15-0x0000000003CA0000-0x0000000004187000-memory.dmp

memory/2052-14-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

MD5 13ad5adb50368aecd8e55978cb47f22c
SHA1 8f2cf631131af42e9e7f40d7ffc62cf823e9a73f
SHA256 bc18ad6ce3a0219271feece996be0d9c01e6bc732299fc90dc23614720b61431
SHA512 5aaaf1e6f831b585b6624aaff8d77b431f57016c71947c900d000508d04ad64bc5ccebad376ac8da0aea5d699ed517fdeb451e6dee6ccde03614e4cdd6ae050f

memory/1672-17-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1672-18-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/1672-16-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1672-24-0x00000000033F0000-0x0000000003612000-memory.dmp

memory/1672-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2052-31-0x0000000003CA0000-0x0000000004187000-memory.dmp

memory/1672-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 14:37

Reported

2024-02-02 14:40

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

"C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2408-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2408-2-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2408-1-0x00000000018F0000-0x0000000001A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe

MD5 5aab74c4cda7d2b7b7d00400c443f928
SHA1 684b2b06c2a48a8e5a90071141905ec31ddee20d
SHA256 536c70f460f2fb58e6be5824a1d367556ff417caf14235675b3686d50d670d11
SHA512 eef5b6843f4f147e1ecceb3b38fdea552d47277727e54f5a4749962acc0f9178d80850b278a9d9a37e74698705390b2d873f3c96c1a19f3f004c278783ec3fe5

memory/2408-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3916-15-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3916-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3916-13-0x0000000001D30000-0x0000000001E61000-memory.dmp

memory/3916-20-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3916-22-0x0000000005620000-0x0000000005842000-memory.dmp

memory/3916-28-0x0000000000400000-0x00000000008E7000-memory.dmp