Malware Analysis Report

2025-03-15 07:45

Sample ID 240212-ajgeysdb2v
Target 95be18d77580bcc6a619e07fdbaa612e
SHA256 90d4c0161bf9476c744e48643f782306e38e832a0dec793e60be2f5442a9763d
Tags
gozi banker isfb trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90d4c0161bf9476c744e48643f782306e38e832a0dec793e60be2f5442a9763d

Threat Level: Known bad

The file 95be18d77580bcc6a619e07fdbaa612e was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan upx

Gozi

Deletes itself

Loads dropped DLL

Executes dropped EXE

UPX packed file

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-12 00:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 00:14

Reported

2024-02-12 00:17

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

"C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe"

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/1284-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1284-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/1284-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

MD5 2e8e5cacd8efc76dcae5eb57325c58d9
SHA1 9d27c28d1feb4d045e233dcf958663fa2c5327bc
SHA256 3a33c312a1b7a4d3d6fcb37d2cc7e8ba6e85abbd0b668e39f526ec4550819717
SHA512 0d12b5676b663a9fdfc5c228729c3e458d26a95dc065dda02d9c3ccced8d992339408c4ddb846e89caeef01b98c53f77f79474c1e8bccf078c6cb6fbe769af96

memory/1284-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4284-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4284-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4284-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/4284-20-0x0000000005560000-0x000000000578A000-memory.dmp

memory/4284-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/4284-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 00:14

Reported

2024-02-12 00:16

Platform

win7-20231215-en

Max time kernel

117s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

"C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe"

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2372-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2372-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2372-1-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

MD5 669a3a1bf559a6e2e3c82d1e61372c66
SHA1 6009c25ff67eb8ae2d52413f0f9599d98cbe6d5f
SHA256 e3c82738b54e94688564465b1cd2966e23c2eb6af67bf47159a00e49dd835485
SHA512 e34c5d48a696381d18b2d4182b0085fb859fadb448844938f1544dd385f53e82b401d00888c62210acb53838bfab14ba6f76432643f98576a46cb15842378fa3

C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe

MD5 bf7bac9605b05c6bd836392e39958d30
SHA1 64c810e0ff4ab6bf1eb2e6a55c9d6b811905e110
SHA256 ebdd5893e61c231efa3a3bc2ee630d3c485dbab7377df2f9fc11ff7236fa394e
SHA512 60e0fcd5e97c08c6e1fb82407c4028de584ea9eb4d0b1ce938616c2cc14e48ddff53d1a1635ca0444a8399e7438ef038d286931a78f0e36551766cac303e6008

memory/2372-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2704-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2704-18-0x0000000000230000-0x0000000000363000-memory.dmp

memory/2704-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2704-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2704-23-0x00000000034C0000-0x00000000036EA000-memory.dmp

memory/2704-30-0x0000000000400000-0x00000000008EF000-memory.dmp