Malware Analysis Report

2025-01-22 18:56

Sample ID 240313-wrx9bsdg87
Target c68a708c7f8176f80f0fb47973085ae7
SHA256 4b1cdef0bb8dbbf34e319120cb8332845c4da6f0eb1e807cbfd05274ec3714b9
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b1cdef0bb8dbbf34e319120cb8332845c4da6f0eb1e807cbfd05274ec3714b9

Threat Level: Known bad

The file c68a708c7f8176f80f0fb47973085ae7 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-13 18:09

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 18:09

Reported

2024-03-13 18:12

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

"C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe"

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1336-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1336-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1336-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

MD5 bfb23bb89b212355bccc64e9749d000d
SHA1 de9e96eeaa3eff9a9a7a598d5b46a62062b4af64
SHA256 937127e29b7c9b0d644e597ecd2bef0121445cdc98ce5e5847418bda547c5ed4
SHA512 7aafe45b855f43eb5439093d002b91feff531cc494e8a6624edbc596831f752d34add9ecd2eceebdc8970a9656cd5063e3a96c97ec3775b07227ab02d49c91bf

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

MD5 5a412afd7f2f5f2c2fb68b6926f63f23
SHA1 c259eecb28effa2dd62483bdc499b0a0313283b5
SHA256 2a7ba96a47ffe54d4a5e2032f8720d7e792c18e6908a5ae8dad008a6402cb6d0
SHA512 42b2404f25b0e6e512699b7d7a888de45af99e4f3541f4a44ed81ecee738f48e7875fd16215d006c54bb82721740c6ff2d6dc35496a5bc977ecf96e242c00377

memory/1336-14-0x0000000004990000-0x0000000004E7F000-memory.dmp

memory/2280-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1336-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2280-19-0x00000000002B0000-0x00000000003E3000-memory.dmp

memory/2280-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2280-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2280-26-0x00000000036D0000-0x00000000038FA000-memory.dmp

memory/2280-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 18:09

Reported

2024-03-13 18:12

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

"C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe"

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 zipansion.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

memory/1452-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1452-1-0x0000000001CC0000-0x0000000001DF3000-memory.dmp

memory/1452-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c68a708c7f8176f80f0fb47973085ae7.exe

MD5 666a7409d83c6b3bf763b8398807f3da
SHA1 982c3a7e24d3162c281c12398b8b697acfdfd9e5
SHA256 057b1c9669496134f825c3f7c16148e316354d15c795ef103c0119cfac265b5c
SHA512 05f3bd497f2a6245a0392e67fe10160b2c92caa418b1692872fa7f03119ff1ae7537ba49b4d21123ea5b7fa7da220cd918d973580b070554dd7afef247de216f

memory/1452-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3628-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3628-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3628-15-0x0000000001C30000-0x0000000001D63000-memory.dmp

memory/3628-20-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3628-21-0x0000000005530000-0x000000000575A000-memory.dmp

memory/3628-28-0x0000000000400000-0x00000000008EF000-memory.dmp