Malware Analysis Report

2025-01-22 18:56

Sample ID 240310-vkja6agf98
Target bf23e60ead2bad9afe9706fd1d9ac690
SHA256 ceafbf1e45295f6611a13a685a5c8623214de0754bfe9385072138bfaac06a65
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceafbf1e45295f6611a13a685a5c8623214de0754bfe9385072138bfaac06a65

Threat Level: Known bad

The file bf23e60ead2bad9afe9706fd1d9ac690 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-10 17:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 17:02

Reported

2024-03-10 17:05

Platform

win7-20231129-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

"C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe"

C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2888-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2888-1-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2888-2-0x0000000001B10000-0x0000000001C41000-memory.dmp

\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

MD5 ed83983079c2278a1e19693a2f524ebc
SHA1 fc405fa9a8eee5230878e1ee732f5d9d4b6b8c60
SHA256 261d06bd4dcf196c6a23ea4cd992c0a60ecd63a6178a5990446b08dfb6d14dd4
SHA512 246e45f5fa0b92523cd93a47131035c0d19bc60532d35fea28c0925504c75a20866020ae443f0f295a82d194d0a2d45e9e335485dde0bbd40cad51481ddee75f

memory/2772-18-0x0000000000130000-0x0000000000261000-memory.dmp

memory/2888-16-0x00000000038F0000-0x0000000003DD7000-memory.dmp

memory/2772-15-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2888-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2772-20-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2772-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2772-24-0x00000000033E0000-0x0000000003602000-memory.dmp

memory/2888-31-0x00000000038F0000-0x0000000003DD7000-memory.dmp

memory/2772-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 17:02

Reported

2024-03-10 17:05

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

"C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe"

C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/2448-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2448-1-0x0000000001D10000-0x0000000001E41000-memory.dmp

memory/2448-2-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bf23e60ead2bad9afe9706fd1d9ac690.exe

MD5 af57220032e4953d18649d21d4987372
SHA1 6734a100747e92a6632e3fac1fd91c14606d627d
SHA256 1e71128227606a145994f30d935051e79b2c6f74ad337cb3f454e78cb2599f5a
SHA512 a8e136e8f7e5fe51bfaba5e941eeef837fd19b1842255374a186c15fbff9db90ce5192d23842b5ac3d8662112f9fe6cd52377556c500b5a684c5f192f041ab7d

memory/2448-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2116-13-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2116-14-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/2116-15-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2116-20-0x0000000005690000-0x00000000058B2000-memory.dmp

memory/2116-21-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2116-28-0x0000000000400000-0x00000000008E7000-memory.dmp