Malware Analysis Report

2025-01-22 18:56

Sample ID 240310-jkdvwsfh91
Target be0cf91c38c27ea52920ff91c1365004
SHA256 65e5e1808b8b9fae32fc679e93380a705df09ca1d5af1995551bcff0d17e6c20
Tags
gozi banker isfb trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65e5e1808b8b9fae32fc679e93380a705df09ca1d5af1995551bcff0d17e6c20

Threat Level: Known bad

The file be0cf91c38c27ea52920ff91c1365004 was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan upx

Gozi

Deletes itself

Loads dropped DLL

Executes dropped EXE

UPX packed file

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-10 07:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 07:43

Reported

2024-03-10 07:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

"C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe"

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2172-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2172-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2172-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

MD5 639a762b727db8eb6752743aebf631ba
SHA1 670d468efed433e3063ffaad6993fb08f6f1570d
SHA256 9a7560c84cc4904de23cce7f45755398d0ef2c5a859a3f7ed55eda282329d897
SHA512 14d9ad9bd27bb04d1c6c29219c748f50a16d0a959393cfaf35bd98654215ce5e76af00b534c523d48c4f5f7d443322707acda08d85989e328289ecccecc9fd64

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

MD5 f31bc3e3d7da6e4287d736d02ec02ee6
SHA1 adae7ff0841583162d08c593bbd07b02a54aa51c
SHA256 ecfc82eb8913326af25752f8bd717a4755c21e72b89b2486421e0ba2391f9f81
SHA512 c73c0c498efd0beeaf6e46b77ac3909ba0954e145537e7d2e2c92133f227d00ec93e132848fd3c17cb4faae8dc17575e9d3d23bdc97025f3bd5a72165126b26b

memory/2172-14-0x0000000003CD0000-0x00000000041BF000-memory.dmp

memory/2528-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2172-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2528-20-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2528-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2528-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2528-25-0x0000000003410000-0x000000000363A000-memory.dmp

memory/2172-31-0x0000000003CD0000-0x00000000041BF000-memory.dmp

memory/2528-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 07:43

Reported

2024-03-10 07:45

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

"C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe"

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 g.bing.com udp
US 172.67.194.101:80 yxeepsek.net tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/1728-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1728-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1728-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe

MD5 bd19928b00650463526ec997a7c664df
SHA1 061d10c7931b6d6c6c3f3150e7eaf6bcb218e6a4
SHA256 c5256b5c7492509725cca4e72e43c75b351a0410ce885cc92df986d9be71c23b
SHA512 b806134c6f9e9778deb444f2044acc9f429215d34b2ebe1b7441f1ab465a644adf8a6bf95693cefceb79334f93fa111cdeb56e420b45bb964928ab077b75cd1b

memory/1460-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1728-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1460-15-0x0000000001D80000-0x0000000001EB3000-memory.dmp

memory/1460-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1460-21-0x0000000005680000-0x00000000058AA000-memory.dmp

memory/1460-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1460-28-0x0000000000400000-0x00000000008EF000-memory.dmp