Malware Analysis Report

2025-01-22 18:55

Sample ID 240309-vrc3qadf4w
Target bc5bf8f1b628a7a66b77b585b176457f
SHA256 733ef03c87ac6d0ea07b0f3fa208cb17878dafdac14ef9c69595121579ca5d80
Tags
gozi banker isfb trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

733ef03c87ac6d0ea07b0f3fa208cb17878dafdac14ef9c69595121579ca5d80

Threat Level: Known bad

The file bc5bf8f1b628a7a66b77b585b176457f was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan upx

Gozi

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-09 17:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-09 17:13

Reported

2024-03-09 17:15

Platform

win7-20240221-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

"C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe"

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/640-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/640-1-0x0000000000400000-0x0000000000622000-memory.dmp

memory/640-2-0x0000000000260000-0x0000000000391000-memory.dmp

\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

MD5 1299692d9d4c417ae6ad71a4e49f7ca4
SHA1 529337caeff26169fbfeaa545cb360de04dcd2aa
SHA256 5efe1b815915d2101c87ee0313be87d1002dffd18bdf1e66a2277a5def908166
SHA512 661da6313b566f3e9f1b90cddc4382bec06a3c9de5eb7104c765b51dd6f70fd3b8c9fb85c576e530bee56e546528de2ed6dfa8b4b8f806b457f54f18d3a2a93e

memory/640-13-0x0000000000400000-0x0000000000622000-memory.dmp

memory/640-15-0x0000000003840000-0x0000000003D27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

MD5 8f88a183d3da07eccb17e5310b517bef
SHA1 7f86f88ce429d79d834506f2db23d767b3a58edf
SHA256 db0ba7b0ae2ce6feb0d81864df7aabbd5c6fd701481bd9c1baea0161cba305c3
SHA512 e44e0d52bf9aade198cc5af1e43933bf1c59555b6e5500ffc57fd9f0b4444e9674889fe53fc2cae56b3232c8a76c5b07ac4643bf025bdf70cb883b856e2c7c84

memory/2632-16-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2632-18-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2632-17-0x0000000000290000-0x00000000003C1000-memory.dmp

memory/2632-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2632-24-0x0000000003500000-0x0000000003722000-memory.dmp

memory/640-31-0x0000000003840000-0x0000000003D27000-memory.dmp

memory/2632-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-09 17:13

Reported

2024-03-09 17:15

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

"C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe"

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 54.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/4808-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/4808-1-0x0000000001C40000-0x0000000001D71000-memory.dmp

memory/4808-2-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe

MD5 98acac1585fa5ffe1e32d9cef9930c25
SHA1 6a4416a4d5e201fde86018d674ef5e37586b3079
SHA256 862c6cb9db5edab8cf513d24529876f8c5875eff0c463c628ff64db9b73eb886
SHA512 7083125fe332cb94b789cfab6b9c39920fd410299c03c49f6e6ca9c680be7d9dc71d3c78964e2b995790d42bdaf924619152c9f6f6533bf95fbea6a0ac5ee754

memory/64-15-0x0000000000400000-0x0000000000622000-memory.dmp

memory/4808-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/64-13-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/64-16-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/64-21-0x0000000000400000-0x0000000000616000-memory.dmp

memory/64-22-0x0000000005640000-0x0000000005862000-memory.dmp

memory/64-29-0x0000000000400000-0x00000000008E7000-memory.dmp