Malware Analysis Report

2025-01-22 18:56

Sample ID 240313-c9c7bsch43
Target c4c6b0dc4ab0afc86171d28444372067
SHA256 665f29046f4e012f8abb896b432e3598fe0783251eab533902ba1199bbd53a73
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

665f29046f4e012f8abb896b432e3598fe0783251eab533902ba1199bbd53a73

Threat Level: Known bad

The file c4c6b0dc4ab0afc86171d28444372067 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-13 02:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 02:46

Reported

2024-03-13 02:49

Platform

win7-20240221-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

"C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe"

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2128-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2128-1-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/2128-2-0x0000000000400000-0x0000000000622000-memory.dmp

\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

MD5 f8f0a73349aa5a23fae706834f32a655
SHA1 665a0f0296400fa57d39ce70ccc162bcf2c6ba11
SHA256 f24ce286ac741f9f54733b1c708e7e0bba23b28e90c2a25bc6cc1dbd07dd4322
SHA512 0855980e05cf36472a9fcc99ba5b9baaf6c0dfb95238a67401a3c5ddc32537f77ddcd9b13554e6be61cc6d7f8c2b5544f26e323529760db3d968ecbe8be44a4c

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

MD5 4d2ed1e218837781836b55aa4e743bc5
SHA1 d3a2540df59451310f15fc6ce4bdf07d52c286b1
SHA256 ffdcb3d91f7c23913aa4b6de5ddaffdd2a3732c8a27e9e79b75bd14e12d4d7bc
SHA512 9ffa947ab764ac85dbf898705f1df40b97b15535fb669263bf284b7baa091f7089121913e505e0b821308c8d4c046bf2cd6ebbe3d4f64e8b74b8e119e867140d

memory/2128-13-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

MD5 754af614ccedabb09d2f6270b0fd98f5
SHA1 9e1887cf19519e737f1f2b7b67a204b964f531e2
SHA256 1692f6d8b49ccdcaca71f5bb794c0274b9ab1b890a0b7f61cd0fca65bd2688cd
SHA512 93c6983228351b409dc5b03d5bb609cde759575e1d2966c540e8b34a222abc316868545857a36976a7b1db41b398a3e558e3c0f0ff2177a9034032d825404299

memory/3016-15-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/3016-17-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/3016-22-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3016-23-0x00000000033F0000-0x0000000003612000-memory.dmp

memory/3016-30-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 02:46

Reported

2024-03-13 02:49

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

"C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe"

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/5096-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/5096-1-0x0000000001D90000-0x0000000001EC1000-memory.dmp

memory/5096-2-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe

MD5 721cfe8d788a14ac5b09ec6cb6cb509b
SHA1 e6864afee2b5b5d6bd325e04ba2c0486c3b9d54a
SHA256 96b505ef2b39c7e09f82902cc0e4ff3d38a88f8e5fe5886b09abcef734627b36
SHA512 fe7730894944faafa868d0c111d65064f7d0416a3271e64666618035c3c71d32a1a39deb392b8a14034fc94ff716ed1833cedcdeb1086d4ef7894ad80fe6a219

memory/5096-12-0x0000000000400000-0x0000000000622000-memory.dmp

memory/556-13-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/556-14-0x0000000000400000-0x0000000000622000-memory.dmp

memory/556-15-0x0000000001CC0000-0x0000000001DF1000-memory.dmp

memory/556-20-0x0000000000400000-0x0000000000616000-memory.dmp

memory/556-22-0x00000000055B0000-0x00000000057D2000-memory.dmp

memory/556-28-0x0000000000400000-0x00000000008E7000-memory.dmp