Malware Analysis Report

2025-03-15 07:45

Sample ID 240204-axmh5adda2
Target 8dc569854ae522a97819b2a05c93abd7
SHA256 002afc49b88148c7002721cec60096f5ae1b28d35bcedf9d1e94123c8f69f93d
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

002afc49b88148c7002721cec60096f5ae1b28d35bcedf9d1e94123c8f69f93d

Threat Level: Known bad

The file 8dc569854ae522a97819b2a05c93abd7 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-04 00:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 00:35

Reported

2024-02-04 00:38

Platform

win7-20231215-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

"C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe"

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2484-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2484-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2484-3-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

MD5 8bc99049654d5a3483089b35b43db8a5
SHA1 9c48cf7bcb9c63976de30327fd62c4c6065eacee
SHA256 d861d84c255354f7c624ac550553a2028c73666c796f6dfee215b2d770f292dc
SHA512 486a6e6a5c68eb70705ef3c95db023c62c915f39644662e26b19246aff26c3f3d7ad78b96c593512606e3ee6b586b61133568c18196ddd92a19076fd7d1280fa

memory/2484-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

MD5 9e857328b12b9463df4b17e930234b7e
SHA1 7bc1f8a741c793c9e869845bc79d9b4500dd5015
SHA256 651226e45b377b8c30afccf77ef693569148658f2b81a0139c62295559b0c76d
SHA512 c8f691d5c327e99b2bab7d174167491ba6e004d582a5914e911063b465cb5e5eb5c19b6450c7d703f5f0d89b84ada0171417f303662dc502892059d5c98e919a

memory/2384-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2384-15-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

MD5 fde4861353ecd3d2f570763d92c02171
SHA1 51f4a242a83ea489eccd14e3cec3220b511a2ed6
SHA256 5957dbb4176a4634a1e3de2a4fdc02102eb1162a21a799e27eb0fcba0818965f
SHA512 bab559b248cfba31287340e238c68e7fffc04e250c511c4bcba06ae77be2b33d41080f5384e6d29308a082042a04a63c2c4f45884acb272eff7b3a8ff736cbf3

memory/2384-17-0x00000000002B0000-0x00000000003E3000-memory.dmp

memory/2384-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2384-23-0x0000000003540000-0x000000000376A000-memory.dmp

memory/2384-30-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 00:35

Reported

2024-02-04 00:38

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

"C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe"

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4176-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4176-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/4176-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8dc569854ae522a97819b2a05c93abd7.exe

MD5 8c9ba9512c5eaedd8591f72027d6ffe4
SHA1 9635f5fa8094872e98e3c9d4756adf0ede24b640
SHA256 7fbb5ea3e939e5e991ed8590d18964e21dddf1ae92c68dce5229feeee4798714
SHA512 cf231e23e1923edc9881b287909f15474748a753a2864283fb0cea2d738b077fcab4c52b4b6e9867cc64ee37b838e0574782121bc1f05f2823f7b6c2b5881810

memory/2936-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2936-14-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2936-15-0x0000000001D10000-0x0000000001E43000-memory.dmp

memory/4176-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2936-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2936-20-0x0000000005610000-0x000000000583A000-memory.dmp

memory/2936-28-0x0000000000400000-0x00000000008EF000-memory.dmp