Malware Analysis Report

2025-01-22 18:56

Sample ID 240306-zscwkahc85
Target b82cb510100cc9e5e7b3ca0ce00e10a6
SHA256 6c9136e86a05f217abbbd2e73b79c5e0330a8c37d09af42124738f08fb0405b9
Tags
gozi banker isfb trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c9136e86a05f217abbbd2e73b79c5e0330a8c37d09af42124738f08fb0405b9

Threat Level: Known bad

The file b82cb510100cc9e5e7b3ca0ce00e10a6 was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan upx

Gozi

Loads dropped DLL

Deletes itself

Executes dropped EXE

UPX packed file

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-06 20:58

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-06 20:58

Reported

2024-03-06 21:01

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

"C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe"

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 182.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/944-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/944-1-0x0000000001D10000-0x0000000001E43000-memory.dmp

memory/944-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

MD5 0838e3bd03cc4a4d2e48b087628e5c56
SHA1 4b635395b2373b6dfe77e1d330219c6fca4edbe6
SHA256 ba4707590b53ac4109abf3a9930cdd678cd2c7648eb6e3a23c7cbf84af30c8a8
SHA512 028b01990c12c39239c26fa199e063ba8e7638ba1447ef9042693ffbff61eae672f6736c54148cced9df218b2684624e3f30b31a43ccbc73e68b82215aca1fbe

memory/944-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1472-13-0x0000000001DA0000-0x0000000001ED3000-memory.dmp

memory/1472-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1472-15-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1472-20-0x00000000056A0000-0x00000000058CA000-memory.dmp

memory/1472-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1472-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 20:58

Reported

2024-03-06 21:01

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

"C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe"

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/3040-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3040-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3040-3-0x00000000018F0000-0x0000000001A23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

MD5 60f0ac863de74e0fb9a23af6c9e8dd7f
SHA1 0bcd47eabaaf8125296cbd40721c6339d7b880b4
SHA256 98e4f71648f0a4033c8516bc70d012bef9646f519d938fd25998d5600d338672
SHA512 36e4be03845f2b4ae8145d957fc4f984b4f5923ca22449e9245f2405784cb53c91879d3fe3a7532a8067211309eec1fc37f347e5f21da5f70ebded74a562804c

memory/3040-15-0x0000000003950000-0x0000000003E3F000-memory.dmp

memory/3040-14-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe

MD5 d2daef3949e1276fb550ecce81595308
SHA1 9fe253ba2eac9afd55849838f68ca8038f13fbfb
SHA256 4339550eb80dcaac2771ad85d4f26a9e6253e6c795405de95b612c0ae8311d0a
SHA512 79421b5900eeed2ccd62c38e18ac404b00b4de6890918ccf1fead0db85c0967e1c8ed8a939371434a5e20e0cd76828db39850594402d062e463efcd02b0e0a6f

memory/2564-17-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2564-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2564-18-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2564-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2564-25-0x00000000033F0000-0x000000000361A000-memory.dmp

memory/3040-31-0x0000000003950000-0x0000000003E3F000-memory.dmp

memory/2564-32-0x0000000000400000-0x00000000008EF000-memory.dmp