Malware Analysis Report

2025-03-15 07:47

Sample ID 240212-bjm36sga42
Target 95db37424fd3430ffb0c4a60d9a1746f
SHA256 9672b089216f36b4744f0e31107195350b0a186d6f8b43448d8a1fd6704ed97c
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9672b089216f36b4744f0e31107195350b0a186d6f8b43448d8a1fd6704ed97c

Threat Level: Known bad

The file 95db37424fd3430ffb0c4a60d9a1746f was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-12 01:10

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 01:10

Reported

2024-02-12 01:13

Platform

win7-20231215-en

Max time kernel

117s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

"C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe"

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/3048-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3048-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/3048-1-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

MD5 040a4fe66a5fa2c8693c66c11176b325
SHA1 686aa868f43022c37758f2944f8d69bfbf7feca5
SHA256 a8f531c13a301496fcce71a137c16d0f46c0c37d037b7e423f3d730461693727
SHA512 3a6bca8cd5daba9dcaef178124ea3c3f2a6f9f6b8727c26ba88d6bf0ad157b4f0f40826e3aea8a7b0b2e5081146d7f80b0bf644819b2688b7320fdc5d3bfb7cf

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

MD5 0b8a2dc9d6ac2e2de98c1ac5c82dfd91
SHA1 2ba6a006e207b02d863f14a0fad572d5678889f8
SHA256 e2aabb77bbb71fbcae9c4f2faaa50a3122e2d5444383f7233f938e33a2b0ad53
SHA512 d6f0881a4a3b55c0b73de0d7a93c6e4f017ba25f37c44ae8013d661bd0165c8f2c348fba3966a85c740b78448b35a52b85c692ffc1b393b092b47131ac568e50

memory/3048-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3048-15-0x00000000037F0000-0x0000000003CDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

MD5 9a71985052ffcecaf8e24d1a2b3c1643
SHA1 facba0fb7f35820ee5565cf593eec304fdf76d57
SHA256 66dc188c0d782375e865ace1e65420350bcfe63d40fb6a188f770c9129fbfb74
SHA512 39beb1afe988b34511285ac771be7435c5d3bedbbea80c8121dc4612e92848d1b3cd35ef9f92b304526089c801c1894b0bd089217812c0c8dab142f93e3ffb98

memory/2380-17-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2380-18-0x00000000002C0000-0x00000000003F3000-memory.dmp

memory/2380-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2380-25-0x0000000003550000-0x000000000377A000-memory.dmp

memory/2380-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2380-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 01:10

Reported

2024-02-12 01:13

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

"C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe"

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/4024-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4024-1-0x0000000001C70000-0x0000000001DA3000-memory.dmp

memory/4024-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe

MD5 51d94b6a220a347d5154dd3ee18819a2
SHA1 a7ac9a2268ce0850357db2a67e1feb937566f533
SHA256 2afdf33da24e21e1012b4c8b512edae5565a37c9e62cfdc5c492a2688bccd6ec
SHA512 50c8c93b4e92100f01df4c43dcd4aeb31360b4619095ef6170e90286e22de2b73d0a7144993dc6104faaa6d172ff269ede38b79042f9f87157b2aadae8c8b290

memory/4024-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3400-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3400-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3400-14-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/3400-20-0x0000000005690000-0x00000000058BA000-memory.dmp

memory/3400-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3400-28-0x0000000000400000-0x00000000008EF000-memory.dmp