Malware Analysis Report

2025-03-15 07:47

Sample ID 240212-sq9desaf78
Target 977a7994d9f57e5e2c9631ef923c65a4
SHA256 9a8b39f61b84aef85c96cd8bc02d1c940cea8624d4a4ab8f4adbd33ba6cc8059
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a8b39f61b84aef85c96cd8bc02d1c940cea8624d4a4ab8f4adbd33ba6cc8059

Threat Level: Known bad

The file 977a7994d9f57e5e2c9631ef923c65a4 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-12 15:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 15:20

Reported

2024-02-12 15:23

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

"C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe"

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2124-0-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2124-1-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2124-4-0x0000000000270000-0x0000000000382000-memory.dmp

memory/2124-14-0x0000000000400000-0x00000000005F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

MD5 2940886cbfaf7d7b6b1c7e597f2a7363
SHA1 877a09ccce035197be8fbfa9865673b5e072748c
SHA256 66fff977d66b42f2339e65f1fadee9bdf901f01ed0b5ea3abd2b1b97f1924ce0
SHA512 441a6160628b11674de1f7c6731180165347a730ab966a7f5fd27d871775469e511e7bf6da4a0ef8a46c04a33a3810da041fec14356d03417c9ed9bc2c2f6d87

memory/2124-16-0x0000000003D00000-0x000000000416A000-memory.dmp

memory/2424-17-0x0000000000400000-0x000000000086A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

MD5 07033f1a4268d0180895b130c49d3ad9
SHA1 0f038dfef47a8d8bce1ba1b217ae2c40f99084b7
SHA256 d7e2044d6420565c768f5fbe169f467a74ca8696a3bfa7e43fdc3cde6d42a25d
SHA512 d0afca4146c97ed70b0f9ac927ecb077dfd79a942033eab3e8305f077d56b17b134c8dd7ddd45dd38b9f1fa714fa74c5e18e301b8600cfcc1f960fc1b00876f6

memory/2424-19-0x0000000000130000-0x0000000000242000-memory.dmp

memory/2424-18-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2124-26-0x0000000003D00000-0x000000000416A000-memory.dmp

memory/2424-27-0x0000000000400000-0x000000000086A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 15:20

Reported

2024-02-12 15:23

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

"C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe"

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4696-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/4696-1-0x0000000001870000-0x0000000001982000-memory.dmp

memory/4696-2-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/1688-15-0x0000000000400000-0x000000000086A000-memory.dmp

memory/4696-14-0x0000000000400000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\977a7994d9f57e5e2c9631ef923c65a4.exe

MD5 7b3c1caffdc95468cacec056386aa467
SHA1 cf42cbe7026809db0b561453bdf056456403f557
SHA256 8a902bec56ab21e9172f45b4e0ef17ee4b027c73c224d053f0f391548d541723
SHA512 3b3312a867839c20c81eab343b679068aac8279925895eccf72124a754fdb70cbf72fbf41d09d3fe78eb682dde2783af0363f7949bff77a9293116cea3b0ecee

memory/1688-17-0x0000000001870000-0x0000000001982000-memory.dmp

memory/1688-16-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/1688-24-0x0000000000400000-0x000000000086A000-memory.dmp