Malware Analysis Report

2025-03-15 07:44

Sample ID 240214-qr7j4sbg8z
Target 9bcd713201d89ff4cfcc2e72356606f7
SHA256 7f4d6a21e0166484ccbc09b1428a22e2abf942edec6f2881485e0a31515af138
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f4d6a21e0166484ccbc09b1428a22e2abf942edec6f2881485e0a31515af138

Threat Level: Known bad

The file 9bcd713201d89ff4cfcc2e72356606f7 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-14 13:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 13:30

Reported

2024-02-14 13:33

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

"C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe"

C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2964-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2964-2-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2964-1-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

MD5 b0aabd74de912a2c3137da7f8a0ccd96
SHA1 3f10922bff39c406d0848c2d62df6c8c0dbad18f
SHA256 02b27f5ce9b75aef45d4ca46f0a6e9a1895ada1ceb49537322ea49873e4e547d
SHA512 862232f5c2fac15bba4019b473b005818021fcf487dcb6f320a6d810c8a4d3a2d3369e7dfcdf14d4fffaa826fdc51b4e161bb16e5afc585af579ec896c217869

memory/2964-15-0x0000000003990000-0x0000000003E7F000-memory.dmp

memory/2964-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2992-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2992-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2992-19-0x0000000000290000-0x00000000003C3000-memory.dmp

memory/2992-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2992-24-0x0000000003520000-0x000000000374A000-memory.dmp

memory/2964-31-0x0000000003990000-0x0000000003E7F000-memory.dmp

memory/2992-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 13:30

Reported

2024-02-14 13:33

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

"C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe"

C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/428-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/428-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/428-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/428-12-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe

MD5 3976496183263a870c129bde995563f8
SHA1 3c096e80e446e66d27a84d48d14ec32656edc5cc
SHA256 797e1a764bcc3ec4b4e86d7572e9ddb9e88efe1e2c99f29c9d7773fca5b84272
SHA512 313b3dc1bf265367fd92350d6a52f95e41213619a34225f88418ee4461dd2053c35c22878aef4ef0ec744382f0a684a8e52ccddbf319d40044a8cd54c719b541

memory/5280-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/5280-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/5280-16-0x0000000001D90000-0x0000000001EC3000-memory.dmp

memory/5280-21-0x0000000005690000-0x00000000058BA000-memory.dmp

memory/5280-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/5280-28-0x0000000000400000-0x00000000008EF000-memory.dmp