Malware Analysis Report

2025-01-22 18:53

Sample ID 240308-a5kdqsag33
Target ba180590786db12ec1080fee2516aca4
SHA256 7a90fa5cef6cf8a4ecf36ff8cbeef7f1b40386c08a7b6b51a9c0238df9bec61b
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a90fa5cef6cf8a4ecf36ff8cbeef7f1b40386c08a7b6b51a9c0238df9bec61b

Threat Level: Known bad

The file ba180590786db12ec1080fee2516aca4 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-08 00:47

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 00:47

Reported

2024-03-08 00:50

Platform

win7-20240215-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

"C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2352-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2352-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2352-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2352-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2352-14-0x0000000003CD0000-0x00000000041BF000-memory.dmp

memory/2128-18-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2128-16-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

MD5 3f8ecf328bae68d4d5de52a38c1082b6
SHA1 2df57e09262d768deafdeeee4e195dc896150001
SHA256 239e83971f3438be57d1a7d1f326fd7c5ff176e5746425dde1e2551eff84a55f
SHA512 cd58011deed87cc912d957499bd11043b009b1d5215c0d147d435082f1e9c637b223221720ab61a9ca9ca7f66c695597c8e03eded8e162d3c0c30e0ec0ab7c2a

\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

MD5 390b6ccf4bffcf0dbbcb23743d13b7be
SHA1 8dcd70099e700d50310608d04c168982927df72c
SHA256 30ba31e725313075f79c85efc18cd28741a56f353e2b34d2aecfd78c2a140aed
SHA512 3ec2a2d13938d520af919dedb9a881cf92818abce7f9d8b5eed2bbe5c17cfc10c763712d192a2446956825c0fb8273bce4441143c24ff9b6bf74742aac00987d

memory/2128-20-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2128-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2128-25-0x00000000035A0000-0x00000000037CA000-memory.dmp

memory/2128-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 00:47

Reported

2024-03-08 00:50

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

"C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4208-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4208-1-0x0000000001DB0000-0x0000000001EE3000-memory.dmp

memory/4208-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4208-12-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe

MD5 7d0e0d3219c4b044d827790dc5dc4265
SHA1 d5bec57675727db24b9b7f5f40285de8bba4db46
SHA256 f231a3d8326743bb2e2b7a0ebcc081dae4844d9bef43f86f9503f2f76ae711b8
SHA512 78923a6aed8212d9d8683d748558e2d02098e9d4a742c464ab9c7db6621401d4256d5edc93a2a5bafe8e9e271d3dcfc79b2fe86254b44eefa61c95cf7acbe501

memory/2548-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2548-15-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2548-13-0x0000000001D20000-0x0000000001E53000-memory.dmp

memory/2548-21-0x0000000005620000-0x000000000584A000-memory.dmp

memory/2548-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2548-28-0x0000000000400000-0x00000000008EF000-memory.dmp