Malware Analysis Report

2025-03-15 07:45

Sample ID 240213-js4fhsed23
Target 98e2a9a5e0c84e21cfb7c7755ef6494a
SHA256 61a60f637baad4c61f7fccde7c22e591c90e1b9af270e9d0e1608c1b4931f0e1
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61a60f637baad4c61f7fccde7c22e591c90e1b9af270e9d0e1608c1b4931f0e1

Threat Level: Known bad

The file 98e2a9a5e0c84e21cfb7c7755ef6494a was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Deletes itself

UPX packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-13 07:56

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 07:56

Reported

2024-02-13 07:59

Platform

win7-20231215-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

"C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe"

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2212-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2212-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2212-3-0x0000000000130000-0x0000000000263000-memory.dmp

\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

MD5 058bdca85cbe60be74ef4927baa0c316
SHA1 9ee359f9284224cf0923e6eb4a0851367c371182
SHA256 2ff8079d0ee46d3c1639f36cf8b8c15e943f37e7456fdcc8668eeb1378a1051c
SHA512 9b81835515280056d73b99676a69a2176d33ee67695dd7cff9507370746493d3ad0d8b8d56b09a4e85ed411289a4b2bddb70d66d657d462d7e2ae4158f3f4b41

memory/2212-15-0x0000000003BB0000-0x000000000409F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

MD5 03f0bb00e3303e543458de571ee900a4
SHA1 5b84453d1b8c29ad8130ec20cafb6482c27b73d6
SHA256 488308d1b767e5fa75898162a8e7c52b347d3ddda0ef783bd1a43d91402b046e
SHA512 76e0ad54b160784f54f4d84e74a2f29e79db88d123551130b6781d772ca026e6df2e43e41d271108210a0540da337f1b57d90a13300ba1d3ed5dfe0f06fc9881

memory/2212-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2704-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2704-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

MD5 6bfebbe01d416eebf1509b2c08883cd0
SHA1 4830ff8933febd422a335b018b6657e927b102ce
SHA256 9e8110af08dc817c54ed6bb27db37f03a3127d3a3c84bcd82074910a711dfe40
SHA512 24389272be3fc32eb5d26da51024fa1b576ae846bbe445669acf97e31391e0e706e07e5ffc40917d33dca3ff1f9fe0899c3c617d13b2990c06fc7539774f5815

memory/2704-18-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2704-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2704-24-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2212-31-0x0000000003BB0000-0x000000000409F000-memory.dmp

memory/2704-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 07:56

Reported

2024-02-13 07:59

Platform

win10v2004-20231215-en

Max time kernel

134s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

"C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe"

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

memory/2644-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2644-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2644-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe

MD5 898be1bf8e38784e24fb104e628efed5
SHA1 71fc7ddc47c6b3acc6c5c5fe77cbab57998782aa
SHA256 eaaf76998e29c56419d8ad1b896714914be76e832c830c08de2d7b351246ee74
SHA512 1966cd0889584e96f747869ce7901b617779d06829fe1ef9e0a3c95f980833c118402428bf684b0bdde374a4d2da00cc736de98521802e8993f6750408d34728

memory/2644-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1804-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1804-14-0x0000000001CD0000-0x0000000001E03000-memory.dmp

memory/1804-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1804-20-0x00000000055D0000-0x00000000057FA000-memory.dmp

memory/1804-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1804-28-0x0000000000400000-0x00000000008EF000-memory.dmp