Malware Analysis Report

2025-01-22 18:50

Sample ID 240310-pxdzbada8v
Target bea1bcfbcc17ac1fb8700a0432ac2cd7
SHA256 64380cb8cca4db0858f72eeef80c8ede35c970f56a1e100776a23b0978c73869
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64380cb8cca4db0858f72eeef80c8ede35c970f56a1e100776a23b0978c73869

Threat Level: Known bad

The file bea1bcfbcc17ac1fb8700a0432ac2cd7 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

UPX packed file

Executes dropped EXE

Loads dropped DLL

Deletes itself

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-10 12:42

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 12:42

Reported

2024-03-10 12:47

Platform

win7-20240221-en

Max time kernel

117s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

"C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe"

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2056-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2056-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2056-3-0x0000000000230000-0x0000000000363000-memory.dmp

\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

MD5 8ed0e3745192f3818ee21f26a87bc181
SHA1 d31e0e6b20e1a2831ffaf829306392876bceaf51
SHA256 b74210ac1d1131ffea62f17ebae90b0d6aa5d97366daf751d21003b3248642fd
SHA512 98cf09d57eaec57db15b935a5cefa4d86aedccd0a4667d97d7815747a9e012b7c9ce851c2b5f7f2d43cf0ebd7e04a79c9aa142f9bb2c8874b5602ea07aa92236

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

MD5 c0acab2cc3065804ca3358e2f6f8b13e
SHA1 ab81c1a2718aee48f0ce3d145df215de525adc7a
SHA256 8a9381e0d5c13566ff1288cb2d223c3706de6722736da6e3f23fc8d0cb6e9001
SHA512 008b7906b6e0053d5eb41409993f8336b643d0cad640d5237494710d659fbc4105fa582f9e98b2c7c5960ba689cbf765ece64925ae091e59d195c7dcb3bc8ebd

memory/2332-15-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

MD5 4ad6b3c13b210db34d34967ee889994f
SHA1 a35e7af9aac5984627f671fda6a43963f9d6497d
SHA256 0c50e417d3ac6d3e46207e03b142043f24a95d860ab03fa72ac8c0bbaae319a1
SHA512 166f44e2be4080d3411afe47d90c764b8a1dc6b89a565df4df56b1bb68e0ba8a9990460493a0de4b1aedb4523b82ec1117a91c0add6cff5bcf60425fc82769a5

memory/2056-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2332-19-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2056-17-0x00000000037E0000-0x0000000003CCF000-memory.dmp

memory/2332-20-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2332-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2332-24-0x0000000003570000-0x000000000379A000-memory.dmp

memory/2332-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 12:42

Reported

2024-03-10 12:45

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

"C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe"

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 g.bing.com udp
US 172.67.194.101:80 yxeepsek.net tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/4392-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4392-1-0x0000000001D10000-0x0000000001E43000-memory.dmp

memory/4392-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe

MD5 4716097b7671631c08ef58d5c4d8912e
SHA1 dd09c9ab080a578b7ec4373758bf67b4cdc90593
SHA256 66ba6a4bef933b659b9b19366bb0a153022446349c821d47201f3255d69be711
SHA512 c279c84c959f9246e3ac9af50de7cd70b0279a5f01736ea79ed5ccf7bfcbf033869cea4e5a29ca7a5b131ad382c0bbfde580dad629ad9773f9b4f232d152fc58

memory/4392-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3052-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3052-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3052-15-0x0000000001C70000-0x0000000001DA3000-memory.dmp

memory/3052-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3052-22-0x0000000005570000-0x000000000579A000-memory.dmp

memory/3052-28-0x0000000000400000-0x00000000008EF000-memory.dmp