Malware Analysis Report

2025-03-15 07:45

Sample ID 240214-rd99hsdg24
Target 9bdf8b5b3f728c8be47c4f5b0fa572b6
SHA256 0140a4cadb180223478f3d9f1ef2ffc4eab01880c21c0a364b020577f07f60e2
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0140a4cadb180223478f3d9f1ef2ffc4eab01880c21c0a364b020577f07f60e2

Threat Level: Known bad

The file 9bdf8b5b3f728c8be47c4f5b0fa572b6 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-14 14:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 14:05

Reported

2024-02-14 14:08

Platform

win7-20231215-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

"C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe"

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2348-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2348-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2348-2-0x00000000002A0000-0x00000000003D3000-memory.dmp

memory/2348-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

MD5 d64cef8015c2c2444e4be7525f896608
SHA1 9ff695395be99f53952268a814a2dd8207e657e3
SHA256 9a5f2457b6b4bcc0b56a3ca178b47338d417b8ce9263ff7d4577bd2cfcfc042f
SHA512 0a6999b1ff7b8f4ca63e1dcc852452c14d2d0d54416238b6ade0d6dd81bc0a67f3c13dd0e08c890d14aac85f23c62db2511eaa4a7debf0a97599793be5ec9a4d

memory/2144-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2348-14-0x00000000037C0000-0x0000000003CAF000-memory.dmp

memory/2144-17-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2144-18-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2144-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2144-25-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2144-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 14:05

Reported

2024-02-14 14:08

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

"C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe"

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/1444-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1444-1-0x0000000001CF0000-0x0000000001E23000-memory.dmp

memory/1444-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1444-12-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9bdf8b5b3f728c8be47c4f5b0fa572b6.exe

MD5 2ab2d0956bb2c6b74ac810b6af48f782
SHA1 d14e170d701bfe7a16f79265710b6a80b5006e8e
SHA256 5d587d9a5c5d84606c5babf909f4aca75c0bafa2f99a442127f20d582e8a72ae
SHA512 d7c822b09819e99e46bba4f0a79ec270dda9e0409b92fc0d9c50760383efd8b55d9e741899e17f9f3e4817b445e2e290fb866d38e0a1a1b4ed6ed5e813c97617

memory/2012-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2012-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2012-17-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2012-21-0x0000000005590000-0x00000000057BA000-memory.dmp

memory/2012-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2012-28-0x0000000000400000-0x00000000008EF000-memory.dmp