Malware Analysis Report

2025-03-15 07:46

Sample ID 240203-yg8nesghg3
Target 8d308d3895fc99a562209b4f2c934bdb
SHA256 aba8495d4cbe3246d63612ac684df11435024ebf6c7e9047a615673bce6a918a
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aba8495d4cbe3246d63612ac684df11435024ebf6c7e9047a615673bce6a918a

Threat Level: Known bad

The file 8d308d3895fc99a562209b4f2c934bdb was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Deletes itself

Loads dropped DLL

UPX packed file

Executes dropped EXE

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-03 19:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 19:46

Reported

2024-02-03 19:49

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

"C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe"

C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/1752-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1752-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1752-2-0x00000000018F0000-0x0000000001A23000-memory.dmp

\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

MD5 4baf49ed622024ca727621d9d056dfb6
SHA1 bff37ead97ee2cc65e0718233476c7209648e861
SHA256 0466553bf44cf275224f6b8e1d1a3caa058468900cfa93bef37bbb4360587a20
SHA512 8b8ef32149a1d1e9abb9c6eb5bd39bd01cc1f17a7fa275dfc70013d9ee47f08e642b0e4c2ef8b9afded8306c44409021c7cb0d925c4b4823f6522ff134130e23

memory/1752-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2448-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2448-18-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2448-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2448-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2448-22-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2448-30-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 19:46

Reported

2024-02-03 19:49

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

"C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe"

C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp

Files

memory/2336-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2336-2-0x0000000001C20000-0x0000000001D53000-memory.dmp

memory/2336-1-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe

MD5 9c8ae011b8bc4fb80ded642fa90f0717
SHA1 1bea2b1dc5404e0d3a903172e7e7d6a7087e11f3
SHA256 464a6587fa5a350c92fd6c5b2d8369fc6eb8507395e286387dbaf2ed95d29c37
SHA512 52db097accb5ce8668a0c8df449a412b40ab405e1a96d9d988e64b699131cba379861d186e4fac2c5243789844778779de483df4a429013175f82073ce4ae1c7

memory/2336-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3688-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3688-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3688-16-0x0000000001CC0000-0x0000000001DF3000-memory.dmp

memory/3688-21-0x00000000055C0000-0x00000000057EA000-memory.dmp

memory/3688-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3688-28-0x0000000000400000-0x00000000008EF000-memory.dmp