Malware Analysis Report

2025-03-15 07:46

Sample ID 240212-msdfwabc6y
Target 96f6737e503c59e21fb20a6d52a571be
SHA256 547f1d26fb48ddfe7804fce88ff4480776c1ec83e5e6279514996c2e0405210b
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

547f1d26fb48ddfe7804fce88ff4480776c1ec83e5e6279514996c2e0405210b

Threat Level: Known bad

The file 96f6737e503c59e21fb20a6d52a571be was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Deletes itself

UPX packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-12 10:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 10:43

Reported

2024-02-12 10:45

Platform

win7-20231215-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

"C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe"

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1340-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1340-1-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1340-3-0x0000000001B10000-0x0000000001C41000-memory.dmp

\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

MD5 3df1c2578681ce3543e3f2648ee33f60
SHA1 204793efcc0e3318a2dc58527688ea7c700f2b16
SHA256 0087fb172ca088bb69e60eda8e68743b3f0ef006244be33eefa569b0371d4816
SHA512 02c98d7ae6b18067dbc08ce0fea00703cda572dca92c9e7255ad34e2b6a789eb516a8459acd8accf97a289c223f36b4e519f217230d5ac7767f782de3a7c2e91

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

MD5 7aafe619375a91e34e20db38917d8d5b
SHA1 6cc0654be613ff4ca47ee7e539e6123fdf37b396
SHA256 11df256d3504da14db24262e1d6e7767a70cd7d4e252bf599acd463c0f072c7e
SHA512 a3ca270c284c264db16a62db581bc3c45e8990b0166cfcb5ce56d75a91f31a867b780b2d86ebf19342160f791b4301e715e28269f86b0032df26afa65a308531

memory/2940-16-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1340-14-0x0000000003E30000-0x0000000004317000-memory.dmp

memory/1340-13-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2940-18-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/2940-17-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2940-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2940-25-0x00000000033F0000-0x0000000003612000-memory.dmp

memory/1340-31-0x0000000003E30000-0x0000000004317000-memory.dmp

memory/2940-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 10:43

Reported

2024-02-12 10:45

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

"C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe"

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/4280-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/4280-1-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/4280-2-0x0000000000400000-0x0000000000622000-memory.dmp

memory/4280-13-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe

MD5 60fc94b25e54ad2178a19841573c9ea7
SHA1 7a2e7f8ce6863adf4480b391d0be1d4d79d9c301
SHA256 5407bdf40099951e54b2cf87548c9b9695cfd4676e43ada4f9e2efffa7c8d436
SHA512 1332388f227c09a0b67a9b5527dcb89b7143b8b3477008706a12891a758c10259832f4df9be71139f6612fb32bc785546021878adc6e467c111999ffd0ddafe3

memory/3248-14-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3248-16-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3248-15-0x0000000001CD0000-0x0000000001E01000-memory.dmp

memory/3248-21-0x00000000055C0000-0x00000000057E2000-memory.dmp

memory/3248-22-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3248-29-0x0000000000400000-0x00000000008E7000-memory.dmp