Malware Analysis Report

2025-03-15 07:46

Sample ID 240206-kjld1scba7
Target 94463c7bd67b1478fd80bc2b5e7ae2ae
SHA256 026e7311280d3c6a06a979ae465de42a8b7cd99e0b0ac7d6e11eb071b441b56b
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

026e7311280d3c6a06a979ae465de42a8b7cd99e0b0ac7d6e11eb071b441b56b

Threat Level: Known bad

The file 94463c7bd67b1478fd80bc2b5e7ae2ae was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-06 08:37

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 08:37

Reported

2024-02-06 08:40

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

"C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/3032-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3032-1-0x0000000000280000-0x00000000003B1000-memory.dmp

memory/3032-2-0x0000000000400000-0x0000000000622000-memory.dmp

\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

MD5 f5203311d848310bc6303ed1fec84a11
SHA1 2c85bda0054ad5eae489a58cea7ad52184904bbf
SHA256 38c4befff0c635709f2c7a8a2978a060a2ebea91f71d92887775d487a4d250af
SHA512 6d8c621d2df49a568ea598305dc043f3bb2b6de3cb29d8553e77c5d66cf2b07ad78b74ba8b42e0429926cac296958c0e27d690fccb5d2bb19a5bbaf71adf8eea

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

MD5 520d9f14863254b2a361107670850b89
SHA1 c6f8f7b72c1aaa230a5e8b4616e9f0139e9607e7
SHA256 14f733791555d87b8f06680beb690483352427a7e1642548253b48258ba75a72
SHA512 6e0661d4c29f755827b9bd7cb254d347effbf634e1efb8d436e186c280c5806daa5b2d42c94081d230bd29f75aefd4e4cfd423af64f2f5e8e274960f3ce35492

memory/3032-18-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2840-17-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/2840-21-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2840-16-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

MD5 bdb6677e10bd571204fef064c552c1da
SHA1 997c2ad89279da8b1ba6fd605937a386a56d0f7f
SHA256 a83c39994bf65b3ec2465998a52a321ca2c9703387f6453b1a62a032896e0d8f
SHA512 604f3f232c6726264e96b6577db9cdf69ba69ee284dd6e09f831ec656cae141f632ad1f68c867fa7751d67d068e5abdbd38819bc11e17341c2ce488e3f9a5303

memory/3032-14-0x0000000003860000-0x0000000003D47000-memory.dmp

memory/2840-25-0x00000000033F0000-0x0000000003612000-memory.dmp

memory/2840-24-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2840-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 08:37

Reported

2024-02-06 08:40

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

"C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp

Files

memory/544-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/544-2-0x0000000000400000-0x0000000000622000-memory.dmp

memory/544-1-0x00000000018F0000-0x0000000001A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe

MD5 1e3141f061ddf31fe9f8ecbeeb0abc6d
SHA1 9eef4bdedf7ca229a9675066cb80efbc1020d1de
SHA256 17f93d492bad1af02aaa62069283828cb1f80ee113091e60443af50c68af43dc
SHA512 16c58ef15381434b485772bc214a28700d78eb6f60809d9514bb2140c731f12e70406836d443fcc437c906d9632ba017b3057766aba8057e17d5fd9ed0bbd74b

memory/544-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/220-13-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/220-16-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/220-21-0x0000000000400000-0x0000000000616000-memory.dmp

memory/220-20-0x0000000005550000-0x0000000005772000-memory.dmp

memory/220-28-0x0000000000400000-0x00000000008E7000-memory.dmp