Malware Analysis Report

2025-03-15 07:46

Sample ID 240203-r32nnsebfr
Target 8c97c2d1349936dcba035061d4085478
SHA256 b02fe033d0cbfe6b377932ed3b5169213ad2a967cf2d6161e24f74584980554d
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b02fe033d0cbfe6b377932ed3b5169213ad2a967cf2d6161e24f74584980554d

Threat Level: Known bad

The file 8c97c2d1349936dcba035061d4085478 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 14:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 14:43

Reported

2024-02-03 14:46

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

"C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2520-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2520-2-0x00000000002B0000-0x00000000003E3000-memory.dmp

memory/2520-1-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

MD5 859a12391087485810660eb8da8f67ef
SHA1 0b59a30e7b23cad8366ffe63249d1b0586529b6b
SHA256 8461146d63afb397b49fe1344edd315c284cf94b0d5c865009460386ed1fa7aa
SHA512 7bb5ef8de1b28a57c35daf72e10c4a6a961391afea7ef1935e45b5077cb6e780a5d604d8e7e0c4bc972192f9fc63b4383fba076fcaffa7ba685f2188e7f1c196

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

MD5 9170672061bfc88e6da343b99e9f5275
SHA1 303834c61334ca8a540999ffbc16f72beeb27bdb
SHA256 e30dd25b5e7682d3837c4db7447a50e2b46cd8a72f9326f338463b9ae9a1bf12
SHA512 f8c391cbf93ca7bfd338cbd88066b408b5ad13b034c13be8084a1c1546295bb8429faa19d79a2b68c2317ab65369be39a64c86b4392870428350e20e62baeffa

memory/2876-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2520-16-0x00000000036B0000-0x0000000003B9F000-memory.dmp

memory/2520-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2876-19-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2876-21-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2876-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2876-25-0x00000000035B0000-0x00000000037DA000-memory.dmp

memory/2876-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 14:43

Reported

2024-02-03 14:46

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

"C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/560-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/560-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/560-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe

MD5 734b92e2a7942f48a1722e54ef257a71
SHA1 e5d91a36ba33e8e878bc8a30f38f785f7571681b
SHA256 24bb240ac37ebbf44684df6ecdd126a8336396382949366db812dcd98cf58849
SHA512 b2df55e405a52cd86671300b408353cc9d8c8ca8824cd3dd46efc0b7f1e7a6cd6629bf36b8ccf46981e1ef391cac5bf64bd339275776b4d8a3594cf7076cd474

memory/560-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2436-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2436-14-0x0000000001D30000-0x0000000001E63000-memory.dmp

memory/2436-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2436-20-0x0000000005630000-0x000000000585A000-memory.dmp

memory/2436-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2436-28-0x0000000000400000-0x00000000008EF000-memory.dmp