Malware Analysis Report

2025-03-15 07:45

Sample ID 240214-wckppahb8x
Target 9c46597be537e9e70e73f766d6810b75
SHA256 6b436fea8a0eaaf1e637facb64650e7c0b2f23c0e802c2c458e48b62e175bea2
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b436fea8a0eaaf1e637facb64650e7c0b2f23c0e802c2c458e48b62e175bea2

Threat Level: Known bad

The file 9c46597be537e9e70e73f766d6810b75 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-14 17:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 17:46

Reported

2024-02-14 17:49

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

"C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe"

C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2068-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2068-1-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2068-2-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

MD5 4ad3f19b9f8e0c4b6953ff7f5dd53c0d
SHA1 653eb29063cf09509e2c4237aeadb25687239ba0
SHA256 b9dc4e08502733fe5b4942f123378c22746b87c492034c3d88fa79f207943ea5
SHA512 69b3388b0a9d4323f96da7dafcb7cdc8ddac456aec89999e736603584cdce5df4a13e4fbeb94d7cebbd8e77486b3de68d71b3bbebf25f0a1326f6f601f67477a

memory/2068-11-0x0000000003CD0000-0x00000000041BF000-memory.dmp

memory/2068-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2764-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2764-17-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2764-18-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2764-24-0x0000000003560000-0x000000000378A000-memory.dmp

memory/2764-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2764-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 17:46

Reported

2024-02-14 17:49

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

"C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe"

C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/3364-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3364-1-0x0000000001C80000-0x0000000001DB3000-memory.dmp

memory/3364-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3364-12-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9c46597be537e9e70e73f766d6810b75.exe

MD5 ca095a33257a8d5294d940be0cea0689
SHA1 9610a5ebf6fa862d53ecbd84f73fb2a492697865
SHA256 e0fe980d8c5a3719b1901ade671312d5ebbd3b150ad2c159a937aea65544169a
SHA512 5396c80bd164d604b2d95eeb788e2fcf788d154d13ffdc664216b4c902b6de054f604a4dcd87e5760b0e17975f38f365ba6aaa11a7c9559c8ad386f7e25a8921

memory/1552-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1552-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1552-15-0x0000000001E30000-0x0000000001F63000-memory.dmp

memory/1552-20-0x0000000005730000-0x000000000595A000-memory.dmp

memory/1552-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1552-28-0x0000000000400000-0x00000000008EF000-memory.dmp