Malware Analysis Report

2025-01-22 18:50

Sample ID 240313-c1s67aae5s
Target c4c0908f13e4d702ba4302c6b615b684
SHA256 6e9d832c5728f7e03e304db7b956def1e4db3355d8418c23894f5e00efec0f0f
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e9d832c5728f7e03e304db7b956def1e4db3355d8418c23894f5e00efec0f0f

Threat Level: Known bad

The file c4c0908f13e4d702ba4302c6b615b684 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Loads dropped DLL

UPX packed file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-13 02:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 02:32

Reported

2024-03-13 02:35

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

"C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe"

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2220-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2220-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2220-2-0x0000000000280000-0x00000000003B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

MD5 19d3af634410fb3a7b43b23b341e2fbe
SHA1 3b8b568263767f6b309753c272db2223e86fd3e6
SHA256 c7fb5e44e6d50da7947a814c306ec23afba2fe8274bc81c99b4dfec8d7a2e2ee
SHA512 a02abafcf3498d1d2c287340d1f45c07659e137cc92358c506d2a3bc345d6a3c97288d111aee4feb13b29a444b7bfb0f703d35eddc004d809fc5c932bfdb7ded

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

MD5 28c87e4a527f34965f0ceb72ead0034c
SHA1 32e46572caade2a00b34c73d0780316ed5169e21
SHA256 6a369024b5d86f9c2b31272c431053e15bd530227848164d4b6e6cd00ff15aa3
SHA512 e569602c1b4fd17109da6b68052207eef0f9fdd95f44c20f789d431a689195f71a7b696967a89ae9118ae038add022f492bdba96928ad6cebfe53b8e9d052128

memory/2220-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2320-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2320-18-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2220-15-0x00000000038F0000-0x0000000003DDF000-memory.dmp

memory/2320-20-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2320-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2320-24-0x00000000035A0000-0x00000000037CA000-memory.dmp

memory/2320-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 02:32

Reported

2024-03-13 02:35

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

"C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe"

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 88.221.135.211:80 tcp

Files

memory/4636-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4636-1-0x0000000001D40000-0x0000000001E73000-memory.dmp

memory/4636-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4c0908f13e4d702ba4302c6b615b684.exe

MD5 d0ba800132131c5ef303bcf50633b3b3
SHA1 2a8eb0fc97d708b64cd10951b45c4b59d9492238
SHA256 a7eac0b834d44ec08db4d4da3c51acc3f06039c2493183ffbf901c0b407ce498
SHA512 d8ba6b56380448d2c5253c72bc09d892498b00cd6230e353fbb30859f87a77ec6642b97c1585fe446095bff130c973135ff595346b1f1a62af1c2e08182ac979

memory/3900-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4636-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3900-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3900-14-0x0000000001C20000-0x0000000001D53000-memory.dmp

memory/3900-22-0x0000000005520000-0x000000000574A000-memory.dmp

memory/3900-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3900-28-0x0000000000400000-0x00000000008EF000-memory.dmp