Malware Analysis Report

2025-03-15 07:46

Sample ID 240203-vntlasebg4
Target 8ce04c1b7657b765eb9bd1fa9a7a8372
SHA256 6a4b9be261ece2991aab2c3513e9f80b5877baf30e4ff3f0c7fc871fc87bc61f
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a4b9be261ece2991aab2c3513e9f80b5877baf30e4ff3f0c7fc871fc87bc61f

Threat Level: Known bad

The file 8ce04c1b7657b765eb9bd1fa9a7a8372 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Executes dropped EXE

Deletes itself

Loads dropped DLL

UPX packed file

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 17:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 17:08

Reported

2024-02-03 17:11

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2220-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2220-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2220-3-0x0000000000130000-0x0000000000263000-memory.dmp

\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

MD5 56c7a81c9f8ce2ec4ba125125c6cec0f
SHA1 f52fd4854e91d1d99551e040a1fb662750fca58b
SHA256 c436350e4a9fa32fc9a712ad151ebdd965d7582ed77d9affdde7adfeace5b4be
SHA512 e47bf1acb952e6ece52d6d8bc1f4bd39ff9cdf5fb9d4ec9ffdd984180c9ce1f6b42a63341017a55320cada1b4d4239d903693eb4567a535571a928c9cdea0281

memory/2220-15-0x00000000037E0000-0x0000000003CCF000-memory.dmp

memory/2220-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2352-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2352-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2352-24-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2352-16-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

MD5 a322d39d10430f877741a6667ee5a63d
SHA1 999ba09295b3922ab81e12f8bc51e334a574bba1
SHA256 c3ee8e04aebafe60f6b2e0722fb29bda09db62109c1548655198641f04b141e2
SHA512 bf24fe9da8d58b5dcaed292569e091347a213861d38e4b72c32027a60456b9ee21869103ea23c13bf6e9e1d66661a4824e9f5ec9a0df0b3fd1f7f7851d6fab7a

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

MD5 ef6bc13be4e564614bdc9d6c48f2cf9e
SHA1 1ca4802d38ff94a25c3e34096b7fdd817fdcec98
SHA256 d468c37fbb578abd65b10147ac795049deccceb6c90d699a1a70b4be6dd0bfeb
SHA512 3f2d8524ac7999098e52656664022d8c419d5e6f9787564506d5de8a4efde47c49d3f96e44f619bbd3d4fff847d1c5220bd57e7bee64686ffc812aa82ab1a33d

memory/2220-30-0x00000000037E0000-0x0000000003CCF000-memory.dmp

memory/2352-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 17:08

Reported

2024-02-03 17:11

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

memory/2200-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2200-2-0x0000000001D10000-0x0000000001E43000-memory.dmp

memory/2200-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2200-12-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe

MD5 a349f110bc4c321582e863f3f808ec8e
SHA1 c0603a3c7672a1b81d252064ed669ff689bfbd09
SHA256 b06f479d36b8ab8d82742001b1eabeccd67dee472b48bcfbadc1d0dcd0db7b34
SHA512 05eec7329d769aa8c265634c7b278416bebf98f8bdf21c4da6a66737059a459f97cfaafa0a9b71cda42826522d54038d00d13b19dc74439c1f5b61aedee9d110

memory/2696-14-0x0000000001D20000-0x0000000001E53000-memory.dmp

memory/2696-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2696-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2696-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2696-22-0x0000000005620000-0x000000000584A000-memory.dmp

memory/2696-28-0x0000000000400000-0x00000000008EF000-memory.dmp