Malware Analysis Report

2025-03-15 07:45

Sample ID 240212-dnv1pabe4y
Target 96171198667f338c9b6a448410f3dbcc
SHA256 b575502c207ba5c7cfa96f4f8d7fe5d3a6b9d3423a07599dad003abd5fc91623
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b575502c207ba5c7cfa96f4f8d7fe5d3a6b9d3423a07599dad003abd5fc91623

Threat Level: Known bad

The file 96171198667f338c9b6a448410f3dbcc was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-12 03:09

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 03:09

Reported

2024-02-12 03:12

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

"C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe"

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/1752-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1752-1-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1752-2-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

MD5 2feccc195369f5aec10b03c5e7fbde7b
SHA1 8d27eea18f4fd523881ebe6c4fa8a4e3bab6e801
SHA256 5d5eb54589b91a97ee7ec64e22a66e9eb20956a50c86ceed8595b659fa3d6092
SHA512 7ec1bea4d150756eb0571f9a4369ae7d77e937420b5976b1f5d0755b3745d824234a88f9d971bc121c932094900a53e025d59c6e14beda5ff465be750deec83f

memory/1752-14-0x0000000003770000-0x0000000003C5F000-memory.dmp

memory/3000-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3000-18-0x0000000000400000-0x00000000008EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

MD5 16e95fe3bba41850a8e30abf0695dbaf
SHA1 b22b9ccbef42845f1a7c71dcd66efb4288d5cdc1
SHA256 8ec26f513b6653e96f3938647a9ec817481e0e4193411e2f6322e715c2b482b9
SHA512 f5c63129794818d6b4f61c37438d79c32b9c9e6d3429dcbadb496ba8d1b077ddc1f4c5f7bb34caba1a15b7352b5baa61375aa8dd0ffa368e11a7aedeedc8d3b3

memory/3000-20-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1752-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

MD5 0713a7a59b9d761e83f332206b43bded
SHA1 5ae760da8665097766e89cd2005374c2fce76370
SHA256 fd7748bc553ba107e22ec6ae62225637657905c970a555486a405742931ebfb3
SHA512 803964c4fd0459b6ddaeafaeb24fd44e6aa56df897a11f2cf663ee7366bee070f5b8d43a53fdc41e2df547c380dc02f43eb2c88f62e91e663bcee88b73e831fe

memory/3000-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3000-25-0x00000000035A0000-0x00000000037CA000-memory.dmp

memory/1752-31-0x0000000003770000-0x0000000003C5F000-memory.dmp

memory/3000-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 03:09

Reported

2024-02-12 03:13

Platform

win10v2004-20231215-en

Max time kernel

123s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

"C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe"

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/3548-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3548-1-0x0000000001D10000-0x0000000001E43000-memory.dmp

memory/3548-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe

MD5 65c45fedd1870ca2ea0d98133c343b50
SHA1 c8f033c45bff4d281f0c1405aedc3f4545ae5d30
SHA256 ad18dc75065ab4f9a269a71f684ac9ba3abb170de78ec532fec08044bfc8fc59
SHA512 ca54773d836669f519413093eb12918ad0d9da9ab2ee91e5eba4ed1355b3e6de5d9ad44d24d2d424f279b07b6e687c1aa63a8712441617426ccf9a838f7e8c85

memory/3548-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3228-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3228-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3228-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/3228-20-0x0000000005580000-0x00000000057AA000-memory.dmp

memory/3228-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3228-28-0x0000000000400000-0x00000000008EF000-memory.dmp