Malware Analysis Report

2025-01-22 18:56

Sample ID 240311-xl3sasdd54
Target c15bbd07ef93d05c7594fe5dc6367fc1
SHA256 06bde6ab994bade27021a5819465c7ab17b7505c09549715530c4505114469b3
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06bde6ab994bade27021a5819465c7ab17b7505c09549715530c4505114469b3

Threat Level: Known bad

The file c15bbd07ef93d05c7594fe5dc6367fc1 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-11 18:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 18:57

Reported

2024-03-11 19:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

"C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe"

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1500-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1500-1-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1500-3-0x0000000000250000-0x0000000000381000-memory.dmp

\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

MD5 b4d05d97edc657af97c6a53a33e91303
SHA1 7bc46017a44d46cb47ef8ba9732384fc338fd78e
SHA256 e3d838e0dee2237854f3e7ff6ca19d996843605a079664d9f53d75a5af36cda4
SHA512 06931bd22ba6affa41d413624d34921e947ced9600b70c563bd602a78c6eb3b52c632d7b793962fbdfe607918a6c9e5f506049a99135f97b6e5157011145949d

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

MD5 37f3d28a3d15ffa563591eb68080fc78
SHA1 7b0c4c2dd08165dc9e60da7302bb17bfd341b65a
SHA256 ef388b1ad2ab21146fdab32ec5755d36cba4daf064dbea03fcf9e4e4e9d3ced8
SHA512 7ff8d2e9452edfc1aceadd3baf5add7c8998a838be6ad1b9863c452e6601757e6a07a877a6d8e010d68969cad8b08e5f697b238032c2637fead3ded9bd0f3fe8

memory/1500-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1500-15-0x0000000003830000-0x0000000003D17000-memory.dmp

memory/2164-17-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2164-16-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2164-18-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/2164-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2164-25-0x00000000033F0000-0x0000000003612000-memory.dmp

memory/2164-31-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 18:57

Reported

2024-03-11 18:59

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

"C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe"

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/624-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/624-1-0x0000000001D30000-0x0000000001E61000-memory.dmp

memory/624-2-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c15bbd07ef93d05c7594fe5dc6367fc1.exe

MD5 352739abe4c099386988db9a85dce585
SHA1 292f5c7dd5041f679db90959c11e362c745d51b6
SHA256 5e723a2b6a64663b97877bcf7c588d54b8d4ca0e630844920d34c422374caaac
SHA512 650dad2357c51c83c58ada752c1ff82197a6c9a07f032682922d982b1df7d4732eb92296b269457d51ebef1a73f879d56770532f5ac4ed068ac002ed94142f92

memory/624-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1536-13-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/1536-15-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/1536-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1536-20-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1536-22-0x0000000005710000-0x0000000005932000-memory.dmp

memory/1536-28-0x0000000000400000-0x00000000008E7000-memory.dmp