Malware Analysis Report

2025-01-22 18:57

Sample ID 240313-cz55cscd54
Target c1aa4a2bf58391c09ceacea760f2f655.bin
SHA256 ea2964aa2265b8ead3ea2f009c5914f939b704d10ba7c1f695406f136b703271
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea2964aa2265b8ead3ea2f009c5914f939b704d10ba7c1f695406f136b703271

Threat Level: Known bad

The file c1aa4a2bf58391c09ceacea760f2f655.bin was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Deletes itself

Executes dropped EXE

UPX packed file

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-13 02:31

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 02:31

Reported

2024-03-13 02:34

Platform

win7-20240220-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

"C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe"

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1688-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1688-2-0x0000000000290000-0x00000000003A2000-memory.dmp

memory/1688-1-0x0000000000400000-0x00000000005F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

MD5 ae8d7c24ea7643de2ea2446fdeefca26
SHA1 fb35d291e1783f2dc113d68ad1906b6a453c6768
SHA256 69eaea48fca133cda27867a39d873ef01635d300a3f4afe5009a2399602496cb
SHA512 ec1d559e1eb431ff4c26d5a536d4386b1b1ef47053b37f0cd9b02e2a91d357ec6356fa01aa8a45741ddc82a13489e4a44df0bfea738a95240d0924e3c6e399d8

memory/1688-15-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/1688-16-0x00000000047C0000-0x0000000004C2A000-memory.dmp

memory/2192-18-0x0000000000400000-0x000000000086A000-memory.dmp

memory/2192-17-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/2192-20-0x0000000001A60000-0x0000000001B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

MD5 94a2b5ac53061a5f5ce23d8f6fe894ad
SHA1 2d15afde09af870d7f29c8a67fdf87ef23084a69
SHA256 efe306abc11a01569dc4029c2c1901685416912c011acacd2c6728fd866b1575
SHA512 e50e4f6beaf3533b07fc380c1c6eb2c4510df3743f3aec148ef1cb968024a3b898f05d359e8facd65f42728ab403d13c7b603dc42b32cd6f5834aa4233b4268c

memory/1688-26-0x00000000047C0000-0x0000000004C2A000-memory.dmp

memory/2192-27-0x0000000000400000-0x000000000086A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 02:31

Reported

2024-03-13 02:34

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

"C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe"

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/1928-0-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1928-1-0x0000000001870000-0x0000000001982000-memory.dmp

memory/1928-2-0x0000000000400000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c1aa4a2bf58391c09ceacea760f2f655.exe

MD5 c36ffccf3445c1825f8bab65369f8d9b
SHA1 b7f8bd6c053450f0c67835865ddb3670567b8ed8
SHA256 74a763c449b0e97feab85a6a5f3a427f3391bee6e6d89bfafdb473dbd541d57b
SHA512 0ff99212aadb2dca62db3429e7a04a2df1a21f998c9e7451b4f5a5c23fcced00a0d304600174071ba85dce80259f22504fdeda8fb6279a0ef17efdd2669596c3

memory/1100-14-0x0000000000400000-0x000000000086A000-memory.dmp

memory/1928-15-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/1100-16-0x0000000000400000-0x00000000005F2000-memory.dmp

memory/1100-17-0x0000000001870000-0x0000000001982000-memory.dmp

memory/1100-24-0x0000000000400000-0x000000000086A000-memory.dmp