Malware Analysis Report

2025-03-15 07:45

Sample ID 240216-krn5waeg8v
Target 9ff37cadae17a072fc6b6432c89adc43
SHA256 428bb9ddf00087d0f27e439fb85cd3ce1d97b29e263f9b6ab34023e1f39385ac
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

428bb9ddf00087d0f27e439fb85cd3ce1d97b29e263f9b6ab34023e1f39385ac

Threat Level: Known bad

The file 9ff37cadae17a072fc6b6432c89adc43 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-16 08:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 08:50

Reported

2024-02-16 08:52

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

"C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe"

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

memory/3872-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3872-1-0x0000000001870000-0x0000000001982000-memory.dmp

memory/3872-2-0x0000000000400000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

MD5 fec9df3df61653393d03adadcc0efe5c
SHA1 1585cad0aec439a23ffeb90afb76485e0f60c48e
SHA256 c4f0f99453c8782241de179139dd31374f941c08f3819b64bd6175daffdf0523
SHA512 19eddbbb804498c55ee61a0bd23512a2ff5531b2e95cc3d9e38e276f8cf9aa4926f43acd7bf14db0e4e27db2c61067fb7b1e6b3715ee9531aa24f85fe1e635eb

memory/3872-15-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/3404-17-0x0000000001870000-0x0000000001982000-memory.dmp

memory/3404-16-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/3404-14-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3404-24-0x0000000000400000-0x000000000086A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 08:50

Reported

2024-02-16 08:52

Platform

win7-20231215-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

"C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe"

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2220-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2220-1-0x0000000001A60000-0x0000000001B72000-memory.dmp

memory/2220-2-0x0000000000400000-0x00000000005F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

MD5 198a59aa7625f089a86f980081cc70b3
SHA1 dff0cee8be72d009af76355ae520831331b6b5e3
SHA256 d762f39fdb4e04a1deacc92ea2995ce9e607b9f321ac0b6882a15e3c78857a97
SHA512 37b182100ddc8a203baf24bca1c1ecc1f087cbf0dbf10488af270a3df43a4b0ca7996b8c9a9114e954504b726e7043078e61140ab113af5de982b438d8c1cec0

C:\Users\Admin\AppData\Local\Temp\9ff37cadae17a072fc6b6432c89adc43.exe

MD5 280498f1dd28576190e2c9a1dc601a12
SHA1 4ed3220d5507d94fc71b81b57d4ed6f688786118
SHA256 2d73abb37f787304267de9d66a240cde18b38d1c1f178a02e08006463be46cff
SHA512 922a9882e3a09ac6c26e7696357786f603c1169f6da0e0a070979d72a8a5bc0508ad0123061878bcf563b9e88734995a6da3636695294d74a122880c89508c3c

memory/2220-14-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2220-16-0x0000000004690000-0x0000000004AFA000-memory.dmp

memory/3024-17-0x0000000000400000-0x000000000086A000-memory.dmp

memory/3024-19-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/3024-18-0x0000000001A60000-0x0000000001B72000-memory.dmp

memory/2220-26-0x0000000004690000-0x0000000004AFA000-memory.dmp

memory/3024-27-0x0000000000400000-0x000000000086A000-memory.dmp