Malware Analysis Report

2025-03-15 07:45

Sample ID 240212-dfct5saf2y
Target 960fa5935476e6fce5542912c57e4301
SHA256 eccded5bae97d375cb00523238d3d688df33fe1fccdcd9e1af0973f2fdd3f6fa
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eccded5bae97d375cb00523238d3d688df33fe1fccdcd9e1af0973f2fdd3f6fa

Threat Level: Known bad

The file 960fa5935476e6fce5542912c57e4301 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Loads dropped DLL

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-12 02:56

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 02:56

Reported

2024-02-12 02:59

Platform

win10v2004-20231222-en

Max time kernel

91s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

"C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe"

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3604-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3604-1-0x0000000001CC0000-0x0000000001DD2000-memory.dmp

memory/3604-2-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/3604-13-0x0000000000400000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

MD5 04fb2af169bebeaae6af51d2adfad125
SHA1 75914527bb6869159bb2fdaf80325d5094121b1c
SHA256 e30c22bc8ba32d9943f8339a2c0489489614f6b99a61263ca9a6bd1dac33b01f
SHA512 9c3ad3d031ed7ed2f4c037f25d547035bb57a9aa229fe82fd65ec6631a10be83ef2c08e074ae3a45f60878b99f81f99229f9174aa0b16dfb87afc2b1bf31b048

memory/8-15-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/8-17-0x0000000001C60000-0x0000000001D72000-memory.dmp

memory/8-14-0x0000000000400000-0x000000000086A000-memory.dmp

memory/8-23-0x0000000000400000-0x000000000086A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 02:56

Reported

2024-02-12 02:59

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

"C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2972-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2972-2-0x0000000001A60000-0x0000000001B72000-memory.dmp

\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

MD5 efb096fceb426b856fbd1cc75281d763
SHA1 7bc3c372f7915575fe962249beac66ef00fba897
SHA256 d7c6351d6511a78f11eee86465ac4f5a8b0acb3c34190dd37f4097f0f90e5033
SHA512 6a66124841ff3790f75ad97326ae2a4cd8f525176877e45a90b54bbb4b99f60ffb629ae844cbacb9ef713f9239afbfd1978ab9f661d1924c0b25465a40aeaae5

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

MD5 1733bff9d0634f1063fe87495d8fce18
SHA1 272d173649dcfe190b619bc6bfedbb006651e160
SHA256 46a9cc13c2b1c61a30999919072f0540b881b30800391f9652e20b774424ce88
SHA512 f8d587abf4f7592d7a0aa123c575baf3935311f0406fea65b4bfa4049d424beee7a2fd6beb96352e57d4e99a7bde58f1c96499cff54d7f439b2aee234b0a6a09

memory/2972-15-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/3008-17-0x0000000000270000-0x0000000000382000-memory.dmp

memory/3008-19-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3008-16-0x0000000000400000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe

MD5 3326c51f102158ae50fab09194f2bcd4
SHA1 d97d96ed04563cce1b7459abf3fadfd2349e096d
SHA256 63ed041fd56a5ef2bdfc99a857e6c50fe6fb8ab0c002d2bb810fb86d362258c3
SHA512 3f9d35cacdc32201c686650f4dbd05cc6127f5f4eb889a57433f55395d12a6d6b95c0ed3ea8fb8362690bc9a2b05167e4f153a76b7d85a0ffdf36db9cb2ada56

memory/2972-1-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/3008-25-0x0000000000400000-0x000000000086A000-memory.dmp