Malware Analysis Report

2025-03-15 07:45

Sample ID 240215-24ynhsba2s
Target 9ed097c39c7cc6e82f5dc72d45952175
SHA256 7354f9ccbc6aa77686a45e617901d475697cbcd1971e97dd92f91bd91025a25f
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7354f9ccbc6aa77686a45e617901d475697cbcd1971e97dd92f91bd91025a25f

Threat Level: Known bad

The file 9ed097c39c7cc6e82f5dc72d45952175 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

UPX packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-15 23:08

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 23:08

Reported

2024-02-15 23:11

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

"C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe"

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2556-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2556-2-0x0000000000250000-0x0000000000381000-memory.dmp

memory/2556-1-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

MD5 e51287afc7b1fb7453c904c94fbbe406
SHA1 f9fa03b3818c700490261eec01a2af2623946b98
SHA256 f5e044aefdbb5388cc355b117c6d2fbaebcc77674333a397d2b90ef94c053efc
SHA512 5072a3aab0986023a049aaf66c5f20daa322946a68e911e334c129f97415231f37fc9e35ecb9c6145600f8ad3200541b61db9df1f72b4e92fd357a5998eedf75

memory/2556-14-0x0000000000400000-0x0000000000622000-memory.dmp

\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

MD5 ff992a6465abbabdcb3bb9660f450bd4
SHA1 4576f2625ed95367e81998d16f042716880ca709
SHA256 8ba55f8b65c3b47a1801ab33a47f73be17c9981656af751f02b9896b178f69f3
SHA512 b87ab28dc4dbeed3905f6b59bd7db962ddda913a3500059a7cc8290d74b7caab9f0dc3dfd0748c237051fdbd460996f6ec98eb82f7161c456df1339da67b421a

memory/1308-16-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1308-17-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1308-19-0x0000000000250000-0x0000000000381000-memory.dmp

memory/2556-15-0x0000000003F00000-0x00000000043E7000-memory.dmp

memory/1308-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1308-24-0x00000000034C0000-0x00000000036E2000-memory.dmp

memory/2556-31-0x0000000003F00000-0x00000000043E7000-memory.dmp

memory/1308-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 23:08

Reported

2024-02-15 23:11

Platform

win10v2004-20231222-en

Max time kernel

91s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

"C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe"

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1648-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1648-1-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/1648-2-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1648-12-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe

MD5 00abc5f008c635d4716b0e194adca16a
SHA1 51fc59996f62323831710a0c20daa82594176c83
SHA256 e914382751a01b3cf42f0e88712f0e69d98277b381ebf5de92a23f8b71a2cfd2
SHA512 e6353995b3e82e18e74e0fc13bce8f9b56d6de9d37ea994b7874f4c233aa671a220e4f396f76ad00c7311449c7a90f4340e4807942c65936bb92cf0138ceb02a

memory/4468-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/4468-13-0x0000000001DA0000-0x0000000001ED1000-memory.dmp

memory/4468-16-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/4468-20-0x0000000005690000-0x00000000058B2000-memory.dmp

memory/4468-21-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4468-28-0x0000000000400000-0x00000000008E7000-memory.dmp