Malware Analysis Report

2025-01-22 18:56

Sample ID 240309-qg66lage86
Target bbe660a686e731e57019dcca9e7acd1a
SHA256 1d1f6158e002a614569cf732706563478c31c021ef35d6a6750c1301d2c6275c
Tags
upx isfb gozi banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d1f6158e002a614569cf732706563478c31c021ef35d6a6750c1301d2c6275c

Threat Level: Known bad

The file bbe660a686e731e57019dcca9e7acd1a was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi banker trojan

Gozi

Gozi family

Deletes itself

Loads dropped DLL

UPX packed file

Executes dropped EXE

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-09 13:15

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-09 13:15

Reported

2024-03-09 13:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

"C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe"

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2244-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2244-1-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2244-2-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

MD5 f3bcdac031873b9fd86e38209df06183
SHA1 7ba09250d5c0cdd85fcff80d8dd8d94326ea2888
SHA256 1cdada868649df01f0600ed1252410957e5f6594d8d2015944fb7e7099815991
SHA512 d3f5fcd7105cc04adb9fc3b5d612ff2fd348742380349f0bba92f2b0b91f0c2bf3d214973cb277ff29efda560387566494dc6c1542e826a74d07af4ff172fa0d

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

MD5 0b2746f1299e7e31ff373f11fc01d93c
SHA1 52c7eabd63fd67d789aeab695bcd4a5ed2896bc2
SHA256 3739933a3ff5b3a091a631151bfad375d74369c9522f84d4ac08578d76812d05
SHA512 a50585bc50f8d9b90764fd0b6f564cf755c5b6bb9390ac5308eb70aef4a8499f63ae4fb34cf44cdf686b9ad2e223f32d54f54bd16167a910dd526d18c2409f03

memory/2244-15-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/2596-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2596-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2596-19-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2244-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2596-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2596-24-0x0000000003430000-0x000000000365A000-memory.dmp

memory/2244-31-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/2596-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-09 13:15

Reported

2024-03-09 13:17

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

"C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe"

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/4980-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4980-1-0x0000000001C30000-0x0000000001D63000-memory.dmp

memory/4980-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe

MD5 f70f8d47867b4183cf3dac1e70cdde81
SHA1 6fba70ccc92432ed526a3bf8bc97e78173cba567
SHA256 1c9b1076cbf5ae70da581d9a6c6ce177135ef769ca12feea0d33742d3042aa06
SHA512 4545af7e1cc17bc166d7011e5418ca819c2c3366cf7ecc421787ff041a43b69e1b8fd6dbe51155c09a72379323041ba29ed15d08a5611d5aecd68f30a1305bb6

memory/4980-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3708-13-0x0000000001D30000-0x0000000001E63000-memory.dmp

memory/3708-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3708-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3708-21-0x0000000005630000-0x000000000585A000-memory.dmp

memory/3708-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3708-28-0x0000000000400000-0x00000000008EF000-memory.dmp