Malware Analysis Report

2025-01-22 18:52

Sample ID 240308-prj85sfa28
Target bb44f0d5b96810db03d1f78ea6e04dd4
SHA256 21cc3334939177e2b9fc47182d1f08d6e7bb84a1ce9e46242680322a3ab82e5a
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21cc3334939177e2b9fc47182d1f08d6e7bb84a1ce9e46242680322a3ab82e5a

Threat Level: Known bad

The file bb44f0d5b96810db03d1f78ea6e04dd4 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Deletes itself

Executes dropped EXE

UPX packed file

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-08 12:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 12:33

Reported

2024-03-08 12:36

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

"C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe"

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 248.81.204.23.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 49.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/4064-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4064-1-0x0000000001D10000-0x0000000001E43000-memory.dmp

memory/4064-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

MD5 bbb34b3235d40dc1c6c5155df31f0d58
SHA1 2a9b02c5863477aa12b1d3d9921448ac96699073
SHA256 ae79254322d98d713a847eb0e15718fa309b35556adcf960a424d561a3ede24c
SHA512 28dbcc1100f879e9f9307c0524f82174285246d6eab14fce1271b13aaa942573e70ef931fe2331392c69e1f0a03856f3913b12ab95839188da3de0c9098a2ec2

memory/4064-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2936-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2936-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2936-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2936-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2936-21-0x0000000005690000-0x00000000058BA000-memory.dmp

memory/2936-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 12:33

Reported

2024-03-08 12:36

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

"C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe"

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1676-25-0x0000000003410000-0x000000000363A000-memory.dmp

memory/1676-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1676-19-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1676-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1676-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2252-15-0x0000000003DC0000-0x00000000042AF000-memory.dmp

memory/2252-14-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb44f0d5b96810db03d1f78ea6e04dd4.exe

MD5 dda3ad4193f9c2062e55cf147d22248e
SHA1 5f0740a93ed02a974bdcbd0f0ef9df545198d718
SHA256 59c123ae40c2535093f2aff7c59c2804322061063f7f2ef4c14a39b0d9cee56e
SHA512 89b0eb253d79c4bd508e144f8b3098f233698c2d5ea02f43eb84ef3a7881f3bace35e67449cfa0357e100cc5bb783b957465a2ebfce8a428b3fb72acd2d10a2b

memory/2252-2-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2252-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2252-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1676-31-0x0000000000400000-0x00000000008EF000-memory.dmp