Malware Analysis Report

2025-01-22 18:57

Sample ID 240314-lkm5nsba63
Target c84ae91054b08d593b81076ef69e148f
SHA256 e9c3b3d5110a014a41964ef37fb07846cd6f006c813e16ca7cba4d256063b88c
Tags
gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9c3b3d5110a014a41964ef37fb07846cd6f006c813e16ca7cba4d256063b88c

Threat Level: Known bad

The file c84ae91054b08d593b81076ef69e148f was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb trojan

Gozi

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-14 09:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 09:35

Reported

2024-03-14 09:38

Platform

win7-20240221-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

"C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe"

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/1524-0-0x0000000000400000-0x0000000000877000-memory.dmp

memory/1524-1-0x0000000000400000-0x000000000064D000-memory.dmp

memory/1524-3-0x0000000001D80000-0x00000000021F7000-memory.dmp

memory/1524-13-0x0000000000400000-0x000000000064D000-memory.dmp

\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

MD5 f7627b86bbb54e5a24e998ad752c0449
SHA1 0534a62144306f5fd5b7ce12b08505327323b2c3
SHA256 9e310205008145e3b94ff073ab4d0b6b2e6447cdecf04ce0871c0ccb85217a65
SHA512 868b8000eded79ba415f75aa2fda7c43c8bc1efccd91405f70b127f38971d34400cabf8bb2fb9f9e4a69f285163dde04ac351e38085ab7a0db9db5fb3945ad57

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

MD5 a5fc54eff952ca58f09a513c692dd3dd
SHA1 f65ca67a50ed164f7a7219d4d181128709ebef36
SHA256 c700292abb80ae6701b63e6892653b6b9023f4c5cecf8e4756e6d4fac97b631f
SHA512 8f216e5753150612a161b22f0c4c37a70dfb1f6f71fd41d7be20840e75deafbcc49de19eba7bb6204d9ecd10a813d3ef10721a05b1d5314231ed2be6c8b94804

memory/1524-15-0x0000000004010000-0x0000000004487000-memory.dmp

memory/3064-17-0x0000000001CC0000-0x0000000002137000-memory.dmp

memory/3064-16-0x0000000000400000-0x000000000064D000-memory.dmp

memory/3064-19-0x0000000000400000-0x0000000000877000-memory.dmp

memory/3064-23-0x0000000000400000-0x0000000000640000-memory.dmp

memory/3064-24-0x0000000003780000-0x00000000039CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 09:35

Reported

2024-03-14 09:38

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

"C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe"

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1316-0-0x0000000000400000-0x0000000000877000-memory.dmp

memory/1316-1-0x0000000001CF0000-0x0000000002167000-memory.dmp

memory/1316-2-0x0000000000400000-0x000000000064D000-memory.dmp

memory/1316-11-0x0000000000400000-0x000000000064D000-memory.dmp

memory/3536-13-0x0000000000400000-0x0000000000877000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe

MD5 389381f5147ada0b7e898c8f12317603
SHA1 f797429f7fcd187cc390746afa12a94fc88338b4
SHA256 d93b31b2dae7ebeb31f8f435f881980effe7f7e59180c7d95c4dcbb3b999a554
SHA512 c300f668a7a06fd9f0275e797a033cfc0a3cec0573385e2b5fd672e1c1b567a5de601d672ced1d87d15a3bdb174484fd7b7b0e31442309787a21860d8158b090

memory/3536-15-0x0000000001EE0000-0x0000000002357000-memory.dmp

memory/3536-14-0x0000000000400000-0x000000000064D000-memory.dmp

memory/3536-20-0x0000000000400000-0x0000000000640000-memory.dmp

memory/3536-22-0x00000000059B0000-0x0000000005BFD000-memory.dmp