Malware Analysis Report

2025-03-15 07:47

Sample ID 240213-erb8eshc4y
Target 9870cb5147bf608fc2854c9f88d5b865
SHA256 ce3391bd967d6b855e26ccadda344630a09698a586d4880ae38100001d25c332
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce3391bd967d6b855e26ccadda344630a09698a586d4880ae38100001d25c332

Threat Level: Known bad

The file 9870cb5147bf608fc2854c9f88d5b865 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-13 04:10

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 04:10

Reported

2024-02-13 04:13

Platform

win7-20231215-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

"C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe"

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 cli.re udp
US 172.67.220.142:80 cli.re tcp

Files

memory/2916-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2916-1-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2916-2-0x0000000001A60000-0x0000000001B72000-memory.dmp

\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

MD5 6b7fe3ed873b036b0c0bb5a862bf3e40
SHA1 b04ca5d434e239fe8d89bc55f3f3a5037e62bce3
SHA256 c28f090dfedad37db67498ee033d7e32a37bffbde51046cabca5cf186f357597
SHA512 ee6ac51f5ba7a0f2f0a483d54fce4c52bf39ebfa3b32c566cbb763ed75d633e9b0d871fd1e730628a4cadc7fcbe700dc07dac830a630092245bdc4d0b23167fa

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

MD5 03d048713d4777a5a88a6287a8293d90
SHA1 daf0487fb4ed92792edce6e1785f11d1b059d725
SHA256 c65d4787f41059f526dce4cf0073971a14f8616114a49103da3549594ae82c9e
SHA512 95af50c30edd30a19b34f466dfb526199e30222221f4fe88d2ff17da331ee7b53bca095570662516943d423559f600feef77c5731bc2ea5c52f19268089fa62f

memory/2916-16-0x0000000004690000-0x0000000004AFA000-memory.dmp

memory/2916-14-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2660-17-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2660-18-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2660-20-0x0000000000270000-0x0000000000382000-memory.dmp

memory/2916-25-0x0000000004690000-0x0000000004AFA000-memory.dmp

memory/2660-26-0x0000000000400000-0x000000000086A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 04:10

Reported

2024-02-13 04:13

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

"C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe"

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/1088-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1088-1-0x0000000001C90000-0x0000000001DA2000-memory.dmp

memory/1088-2-0x0000000000400000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe

MD5 124c1f2fe4e759abb96b104475eb051c
SHA1 6fbacf21091545fa986072f3270a0e3dc8bd76e5
SHA256 9581607b591603d3e62c3a38a30500b5a3190f74a7389f7c647858f1584314f9
SHA512 21c6fbee041a49c4305b0eefc3413a423a6b8eeaf98e4c1f4bc711bdfc629a8b242673bed6fe742da3c098e9566661720844cce8b33716d1c52839b925f68992

memory/1088-13-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2104-14-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2104-16-0x0000000001C40000-0x0000000001D52000-memory.dmp

memory/2104-15-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2104-23-0x0000000000400000-0x000000000086A000-memory.dmp