Malware Analysis Report

2025-03-15 07:45

Sample ID 240215-kzm8jsdg68
Target 9d7f6593d1f0325e6e8db38f67ed072b
SHA256 0d122bf5b2c34969e1420b13dd29eefa41fc4c568d00c072ac83070a10e8ada6
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d122bf5b2c34969e1420b13dd29eefa41fc4c568d00c072ac83070a10e8ada6

Threat Level: Known bad

The file 9d7f6593d1f0325e6e8db38f67ed072b was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-15 09:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 09:02

Reported

2024-02-15 09:05

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

"C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe"

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1936-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1936-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1936-6-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1936-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

MD5 ddc50a24eb5714395c806810587ad82c
SHA1 2b9d73b7cb951476c53fa8bbb4236b2b60935865
SHA256 1f2ac39c7dbb9d0c2a1e8d5f89d19c145cdc4551c72eff8a12b3815fd293d172
SHA512 64db3e532fb19dce628bcd569888eb9ada1f705a086c14d28c2cc1ab156b2152479ee1e9815398ab2fc1bd90c5051329b510869ab5e7e9dd9ebecf7a77f3101e

memory/1936-14-0x0000000003980000-0x0000000003E6F000-memory.dmp

memory/1948-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1948-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1948-18-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1948-24-0x0000000003410000-0x000000000363A000-memory.dmp

memory/1948-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1936-31-0x0000000003980000-0x0000000003E6F000-memory.dmp

memory/1948-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 09:02

Reported

2024-02-15 09:05

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

"C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe"

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 136.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4200-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4200-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/4200-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9d7f6593d1f0325e6e8db38f67ed072b.exe

MD5 24c746830eebe98d603e524d33822977
SHA1 6cc8af7418abfd2bbbe7699ae11cd41fcaf35223
SHA256 5636d397ef66d0fdf1e02ba88b5c121b5f9c6399152c28756955d2199b123e96
SHA512 23ca8d4268b883ec600c154e7ec40551162e8f4c1a3f95ab5184aa02028a3c20d6fa81dce921276f6a1d824e58d6f381fbf67329d151df9a24f37cf40b3f6bb9

memory/4200-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4564-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4564-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4564-14-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/4564-20-0x0000000005540000-0x000000000576A000-memory.dmp

memory/4564-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/4564-28-0x0000000000400000-0x00000000008EF000-memory.dmp