Malware Analysis Report

2025-03-15 07:46

Sample ID 240202-xbfvsaehdl
Target 8a40e729cf33d06ed1fdd3ea5260d195
SHA256 5b714887317eca02f7aaa57e97c8d46ac1025e07c6b82c0d7e544baf51f6914d
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b714887317eca02f7aaa57e97c8d46ac1025e07c6b82c0d7e544baf51f6914d

Threat Level: Known bad

The file 8a40e729cf33d06ed1fdd3ea5260d195 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-02 18:40

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 18:40

Reported

2024-02-02 18:43

Platform

win7-20231215-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

"C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/1384-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1384-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1384-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

MD5 1169927a79010c2c860bc2541c7069ed
SHA1 98f9bde65d565b67e2835d559e3f96cd902476b5
SHA256 043877c9885983462fc23bbad4279050b8a038b35d356b62376958427148cc64
SHA512 149e2165adb365d522ac0921a39864b684ac8fa43920bb8da7166780718c29bcaf2843033602a775482998d7f27a05fe85f41a50bfca618fe78321313e9f919c

\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

MD5 751ffff729f9dfac9bdd366d6b786369
SHA1 c6b5b98ed294100f5f09c9efbde9dc3ffbe907a0
SHA256 58315cc0304e966b480733d8ba8a24d31cebf3f428a8952043187124364accea
SHA512 59389fe8d8dcc67f274699e17967c4fdd9eeab604a2711ae34d0ee00555265d3f3e22d9d3af75374bbbbc98ee6398cb4d531b325a4d827f40240383c8001f060

memory/1384-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3012-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3012-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3012-19-0x0000000000240000-0x0000000000373000-memory.dmp

memory/1384-15-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/3012-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3012-26-0x0000000003660000-0x000000000388A000-memory.dmp

memory/1384-31-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/3012-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 18:40

Reported

2024-02-02 18:43

Platform

win10v2004-20231222-en

Max time kernel

91s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

"C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/5056-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/5056-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/5056-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3708-13-0x0000000001C90000-0x0000000001DC3000-memory.dmp

memory/3708-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3708-15-0x0000000000400000-0x00000000008EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe

MD5 43efcf857760d0e8bc09def8d88e8c5e
SHA1 90874909c06fcd730dadd68d01dcedddd38d0180
SHA256 f9ade04ed584c190a83bbde22bd94f99ebf3ac82bf1659c68f2c66135bb7c4db
SHA512 790c11669e3d9584b559d3e54561c95db61340288d7fddb7c4dd3641f38fd2c88ebf8980c9fc683b6098c5ff6d2add69b8628e181f7e79e85749f20b0ed9ebee

memory/5056-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3708-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3708-21-0x0000000005590000-0x00000000057BA000-memory.dmp

memory/3708-28-0x0000000000400000-0x00000000008EF000-memory.dmp