Malware Analysis Report

2025-03-15 07:45

Sample ID 240216-k2xj1afa9v
Target 9ffc27c469da597dfd8428b01c2df7ea
SHA256 04d8348ee329b1393f7f4724cd833a338de5231b5ace9ecea83c5e9f2b271a4f
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04d8348ee329b1393f7f4724cd833a338de5231b5ace9ecea83c5e9f2b271a4f

Threat Level: Known bad

The file 9ffc27c469da597dfd8428b01c2df7ea was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Deletes itself

Executes dropped EXE

UPX packed file

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-16 09:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 09:06

Reported

2024-02-16 09:09

Platform

win7-20231215-en

Max time kernel

118s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

"C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe"

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/1204-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1204-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1204-3-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1204-14-0x0000000003770000-0x0000000003C5F000-memory.dmp

memory/1204-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

MD5 c1ef5715de250aa56c4c6399fd72ae05
SHA1 65c024974bf670dcc1fdfefd583b0c1bd49dc424
SHA256 e263bf9af89452898fd10e302a49a56bd9ef9dbc51202ad01c7fce91335148b9
SHA512 2f58917df83233cc17e842eff231d7108a6e1d61bd915ae6adeea692053eef09b13fa13c21459fbc4d4f09b575c5c2ded078d60ec7a5ec02375e1a126d5517de

\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

MD5 f3cfcbe0caade2115f1e9a601eca62ea
SHA1 616075d7b055b030384c55589e61a6f3a8e8b2b8
SHA256 e8d100e2179bd55c3e4818f2d636833db3053346e5cb3291df98945c654044c8
SHA512 c48782f9a6ca83db56d7f45bb181e46a6cc27a452f32f805d165ffb3c0590f677e3f7d395920108743496bcd184f9efe97a0d7e838c6cddba09eee736e2eadae

memory/2772-16-0x0000000000400000-0x00000000008EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

MD5 d2d7e9710bb07461178e6963a14556d7
SHA1 1c274862843c13933f6876817a56b498f2bb14f7
SHA256 d5688d3b3cc08ad315564b497b74d5793660726e783ca62723c7e7ce8329c7b4
SHA512 700ebb46dbd7e97fa0b1ca99d1e1b3fd4e59957beefb24a2aee888d47a5bdfb168fc1580efb82cf73544a6b6d9978a25962a888e636c2cc34e8750c610a9968a

memory/2772-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2772-18-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2772-24-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2772-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1204-31-0x0000000003770000-0x0000000003C5F000-memory.dmp

memory/2772-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 09:06

Reported

2024-02-16 09:08

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

"C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe"

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/2252-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2252-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2252-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ffc27c469da597dfd8428b01c2df7ea.exe

MD5 57ee681f84c6bc3bb9abb9f50695aa92
SHA1 84786720394ed32ea3e71e526575447ac32f4372
SHA256 1969f31488ab676d6492f9e08d18c17e47fffa7a71c9557f9749cf1225cc8bce
SHA512 06227031c4e8fe3ad4ac0349b8217eddc85e145cdd0a925301ec79bbc5dd1688566d2e16d77d2038a1d5d0e4703412e763cedb1d07cd664efbcef393ed9e026b

memory/2252-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1148-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1148-13-0x0000000001D80000-0x0000000001EB3000-memory.dmp

memory/1148-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1148-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1148-22-0x0000000005680000-0x00000000058AA000-memory.dmp

memory/1148-28-0x0000000000400000-0x00000000008EF000-memory.dmp