Malware Analysis Report

2025-03-15 07:46

Sample ID 240203-x3b1xaagdm
Target 8d245426988d44f119dcbcc06786b1cf
SHA256 a0534fdb6d88c10a42c37a0ea421fd97aa1afa9a364458baebc4380a35c10fa0
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0534fdb6d88c10a42c37a0ea421fd97aa1afa9a364458baebc4380a35c10fa0

Threat Level: Known bad

The file 8d245426988d44f119dcbcc06786b1cf was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Loads dropped DLL

UPX packed file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 19:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 19:22

Reported

2024-02-03 19:24

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

"C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe"

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/4236-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4236-1-0x0000000001DD0000-0x0000000001F03000-memory.dmp

memory/4236-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4236-12-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

MD5 11bdc9d20a2224558e907828449b13ce
SHA1 4b4e0c759c8ad58ebeca4b4ccf27353609b39997
SHA256 a5a4132061c88ef6c686ba7eb0a046228e32b1df3c0729a6a16da052814a62f5
SHA512 5d641990731d095c1511d5d42d566d25890a39029729c4e7641f554a7501eda0df49e1f9badb8fffa1527f0d961ef48c552750df81a856d1bc1b4e63c04554bd

memory/564-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/564-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/564-14-0x0000000001CA0000-0x0000000001DD3000-memory.dmp

memory/564-20-0x00000000055A0000-0x00000000057CA000-memory.dmp

memory/564-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/564-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 19:22

Reported

2024-02-03 19:24

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

"C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe"

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2216-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2216-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2216-0-0x0000000000400000-0x00000000008EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

MD5 9a06ec0c482ade3ac3cef5b9a8a0e98b
SHA1 1dca69a45c1fe4622b07973c55ace4da52d33bd7
SHA256 461b803fffbd3b226fe911337a51912d0f25b5346cc8212e803cad8a828f7472
SHA512 0f33fded237411591300ad2427b5282d721b6d4b551cd012c3a2ce0cee31858a12b26b623b8aa8d2c6f59f28e7e549a515ad649ba2fea1c8d9ace6edcc5b7fb7

memory/2860-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2860-18-0x0000000000400000-0x00000000008EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe

MD5 32dabf83837268d992e3a6d98b006676
SHA1 3b96c8e83834790b01e80bd4bad8afbae6244bb7
SHA256 cb23b6e8ccfffcbb2aa96a57f4a55d3c24077b298c30ce00337428500a53b24f
SHA512 48a1d548f443132e0f0b014633cd7a3824b4a6c075606a925b9851e6d5b2f82a79633e9ef976e2029992b8d72dd6bfcf3d53afb91300bd4468e80ea91fda14cb

memory/2860-20-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2216-14-0x00000000036F0000-0x0000000003BDF000-memory.dmp

memory/2216-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2860-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2860-25-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2860-31-0x0000000000400000-0x00000000008EF000-memory.dmp