Malware Analysis Report

2025-01-22 18:53

Sample ID 240306-l3teeahg73
Target b72644d7b2cdb11fa41c4b7947b7582f
SHA256 a7c5656d425825b9d1e0744c94db8273c54d6515b44bfc83df5276352d9ff449
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7c5656d425825b9d1e0744c94db8273c54d6515b44bfc83df5276352d9ff449

Threat Level: Known bad

The file b72644d7b2cdb11fa41c4b7947b7582f was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

Executes dropped EXE

UPX packed file

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-06 10:03

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-06 10:03

Reported

2024-03-06 10:06

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

"C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe"

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp

Files

memory/224-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/224-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/224-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

MD5 c63af242bc0e885539224647809f855b
SHA1 a317253fe3d4000560b3d43ad6466f1a91fbecb1
SHA256 b4e861f6c467f41bd21b8a2be1a7275f72a6d9bf2820c417341e83a06fac7fa2
SHA512 fe54da57573cc9a905daefb26743566bdc2a05c7d25cbf134a934b9e266c7d9476e7975e390dfee831559a675383f5841baebd209690ba00df2733b279778513

memory/224-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1228-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1228-14-0x0000000001D90000-0x0000000001EC3000-memory.dmp

memory/1228-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1228-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1228-21-0x0000000005690000-0x00000000058BA000-memory.dmp

memory/1228-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 10:03

Reported

2024-03-06 10:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

"C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe"

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2136-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2136-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2136-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

MD5 d05b997ce06e75be28f80771c5b72ea1
SHA1 b2d6695c7edf0e4dc2183166646f6f2bbf133126
SHA256 da53bc98988e5363969b302fba99eda025e743d3a94b02234aed25ab06141907
SHA512 460051c4a07a51a761545ea51c78f6f80090019d7da3a1af74749e0efce1d49ede830058757196f94c920cc4e4deebbf5db04c25d35eb1ee2860bdba5e4b7972

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

MD5 9057f5a799103534321e4ddf4046300c
SHA1 9cbfdf9aa68da5dc8a16b6c8c8adb0f0815772b1
SHA256 b2e523de0ccd049ea5e809ae7d4b4cc461bb522f4854763fa73d54f519dc59b7
SHA512 a88918b36558e068004c52f8c0158a31f44c41398c70f04957c480e3f63843afe65cd52bf46028f020906cff18caf7b3b809f7b2c4e61f73d5c81239b5a4cea6

memory/2136-15-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/2136-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1888-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1888-16-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe

MD5 8510ca3b46c5fafc515fa6ecae127704
SHA1 6496d35c2a60467ed3c03c7e25bb175c866eaf9f
SHA256 8844ed41baa655de923ed3be1a501ebf2e604b83a32450c4696fbdc767765954
SHA512 40d7910fe482eeaed7e89550bab16a4c13b45c72cdd12c481d5a2cb266e472335ccaa34a303d45fbed36d94ba7df1b46ef201f761c2fddb845d28fbfb1e2c0bc

memory/1888-19-0x0000000000260000-0x0000000000393000-memory.dmp

memory/1888-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1888-24-0x00000000034F0000-0x000000000371A000-memory.dmp

memory/2136-31-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/1888-32-0x0000000000400000-0x00000000008EF000-memory.dmp