Malware Analysis Report

2025-01-22 18:51

Sample ID 240312-e35n4sac93
Target c2730d07c03415bc3ec4ab56d87f343d
SHA256 a2e592ae49c8eadfb0ac3b35a64751d38e1fdef0b9cf03d423f181f3fc868190
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2e592ae49c8eadfb0ac3b35a64751d38e1fdef0b9cf03d423f181f3fc868190

Threat Level: Known bad

The file c2730d07c03415bc3ec4ab56d87f343d was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Loads dropped DLL

UPX packed file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-12 04:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 04:28

Reported

2024-03-12 04:31

Platform

win7-20240221-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

"C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe"

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2024-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2024-1-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2024-2-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

MD5 2685f5f2dcb929507846bb89fb0480b0
SHA1 a08c8a51a958621ff1dd8260d5ee51859bcf8b85
SHA256 cee381c510058dec890007b4ee251bddff31a6c1f5acd32e6535040cad948bab
SHA512 9c252476a5cfeae773effe371b7f740c93ea598edeb3d11c4a37987c8039d319bb4581fd6630e6432ccf3c4cc921041fb5cc81c2ef08769b187bc92123f4f274

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

MD5 2513bd4cd0f6fc6cd119979e7397c856
SHA1 50c1a272b78b16beae19bc5f74b5aafae10a0473
SHA256 d57b455085d75bd2e6e8c949a32b566c28625f2d0a07f693baafca45584bbb8d
SHA512 baa09a30713000fe110282b862569d9b65bead6baf0cb338dc5912d01627dc7220e8152b80c120f9d4f3b8b19076b56a8f6f8745e9508cd5aafe1521773a4723

memory/2024-15-0x0000000003DD0000-0x00000000042BF000-memory.dmp

memory/2024-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2256-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2256-19-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2256-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2256-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2256-24-0x0000000003420000-0x000000000364A000-memory.dmp

memory/2024-31-0x0000000003DD0000-0x00000000042BF000-memory.dmp

memory/2256-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 04:28

Reported

2024-03-12 04:31

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

"C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe"

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 167.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/220-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/220-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/220-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c2730d07c03415bc3ec4ab56d87f343d.exe

MD5 eb3777ff3311f0151f7f100c610d01e0
SHA1 fb74f07c83ad0019b0a8a9848b1b4cb994b11500
SHA256 f6f204cc08d296111c3b2d8bb335315215bf907671b93c2bf3b38e1d8708e300
SHA512 2ce2aa74e4ed790449561e7cf4c7e9e91c3577803e03947c0a9a1f35363d334d44ca329d933bcf5e3afb82508ee3c1d946cec7a6c1fe279f7949f7ee3e54ab54

memory/220-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3200-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3200-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/3200-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3200-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3200-21-0x00000000056A0000-0x00000000058CA000-memory.dmp

memory/3200-28-0x0000000000400000-0x00000000008EF000-memory.dmp