Malware Analysis Report

2025-01-22 18:57

Sample ID 240311-g5shnseb9t
Target c012d2e1de038e4f73ee4c5a63c315ac
SHA256 4abbcfd7a7ac93842b8f576b05bd75da1a5fcbb283a6b76ad12d688804b86ae9
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4abbcfd7a7ac93842b8f576b05bd75da1a5fcbb283a6b76ad12d688804b86ae9

Threat Level: Known bad

The file c012d2e1de038e4f73ee4c5a63c315ac was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-11 06:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 06:23

Reported

2024-03-11 06:26

Platform

win7-20240221-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

"C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe"

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2296-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2296-1-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2296-2-0x0000000000230000-0x0000000000361000-memory.dmp

\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

MD5 c448b8183cf883d0703744b57c88eba1
SHA1 e87b2b8a35e71751f8715062c16fa5d0cca8484a
SHA256 39cacc7a5480d0de86251440d739b7da550937e235b2cb0ef85e74435f0bf33e
SHA512 0503977e0504d2da27842ed035956ba78477f4f8f78de1f493966522567213c9288a64d94db8ee62ee54c11317d16a83bb3e2e88ef33ef366c6f7475016b5887

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

MD5 246ca991dce672743b9f18afe4e10616
SHA1 677df0b5f4bb0d1131bbceb9d2b9ee3e0a08e0fc
SHA256 041180ef030cd09f1fd0ed9043255dcc77faefad1f731f26292c06883171ad88
SHA512 831ef407f7b5743b5a55a37275e1df14b423d0dadd57b1e8fc082bee1ad7fbd08f7dcffd8454014c746b0d2065ad045083960ccde666f31abcbf8400a71c6340

memory/2296-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3016-16-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3016-18-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/3016-17-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2296-15-0x0000000003D50000-0x0000000004237000-memory.dmp

memory/3016-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3016-24-0x00000000033F0000-0x0000000003612000-memory.dmp

memory/2296-31-0x0000000003D50000-0x0000000004237000-memory.dmp

memory/3016-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 06:23

Reported

2024-03-11 06:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

"C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe"

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3580-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3580-1-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/3580-2-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c012d2e1de038e4f73ee4c5a63c315ac.exe

MD5 becbb422c0d989c88b1b0aead909b223
SHA1 f4adfa4ca8e3e0426dfd052ac291179e97af2e2e
SHA256 0a487e6c6ac49cae6a7b0283c28ef805c2cdd9b9392b0b4e716a5d056bfa22f1
SHA512 a665f7a68020a90a6b19e2a1a62956839df73b397552d8e0f22863b2e9c94b9e15002749428b864a59fd30ac5574d12586e5d7f02b053d9c5f351431c853ae89

memory/3144-13-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3580-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3144-15-0x0000000000400000-0x0000000000622000-memory.dmp

memory/3144-14-0x0000000001D90000-0x0000000001EC1000-memory.dmp

memory/3144-20-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3144-21-0x0000000005680000-0x00000000058A2000-memory.dmp

memory/3144-28-0x0000000000400000-0x00000000008E7000-memory.dmp