Malware Analysis Report

2025-01-22 18:51

Sample ID 240313-lssp5acb96
Target c58fffdd53e1ad2828fc0c96a67d2500
SHA256 35a19200c8ea9694f118cf763cd2fb7f21e99a71000b07e47eb2566fa92d64a9
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35a19200c8ea9694f118cf763cd2fb7f21e99a71000b07e47eb2566fa92d64a9

Threat Level: Known bad

The file c58fffdd53e1ad2828fc0c96a67d2500 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-13 09:48

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 09:48

Reported

2024-03-13 09:50

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

"C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe"

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/844-1-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/844-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/844-3-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/844-14-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

MD5 9201490bd679419aad6c7d1fb12eb590
SHA1 80721606ce807508ed533b3f8edc0cc6eda7f428
SHA256 9c00d9e55441271e1f650bf209d0a3bc2e7528ccba68e9c7875a54ea7cc439e7
SHA512 d5ab8d9d16d84e438e34cf80b3a99766226720cd2a4d42a61853a685d9dc1c6e176f971f48b6e5a7b61e94171438b245ae33c504afbffe93f2c8ddd0a2888188

memory/3048-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3048-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/3048-15-0x0000000000400000-0x00000000008EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

MD5 e78e5d681c29652d2bb2f07073116038
SHA1 2c76fe62614de8b041e1f47e225317eac00fe143
SHA256 879fa3666de81aaf240f27ecda10558f425e2ac29bccad61cd97b297b6d5b87a
SHA512 eb6ba79474d2343631cba47e15a8ae500bcc949814a8ecb2c2c1865e781856615d6d442e4fbd5145bc61a2fa225ba832fe3288e55cb9f62c30cff4d6e25a0d77

memory/3048-23-0x0000000003410000-0x000000000363A000-memory.dmp

memory/3048-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3048-30-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 09:48

Reported

2024-03-13 09:50

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

"C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe"

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 208.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 51.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.98.74.40.in-addr.arpa udp

Files

memory/2456-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2456-1-0x0000000001C90000-0x0000000001DC3000-memory.dmp

memory/2456-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c58fffdd53e1ad2828fc0c96a67d2500.exe

MD5 0dc7fe99c97edfde580d2abd8a9ab09c
SHA1 b4d8f47d9d62ae560c7d9b849e2fbc422b8690ed
SHA256 182cfc51c57522bb4535cb99772c94fa5944b852b140339dd8ee8e66a6c8f8b5
SHA512 3d6c42a2dcbedf906801b59c82b337c715a405ef1557fb4b967552692a9a9d169265cfe21648b57356ff7a3221566c1893b514e77a914fb885334a2bef23cd5a

memory/2456-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2772-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2772-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2772-14-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2772-20-0x00000000056A0000-0x00000000058CA000-memory.dmp

memory/2772-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2772-28-0x0000000000400000-0x00000000008EF000-memory.dmp