Malware Analysis Report

2025-01-22 18:58

Sample ID 240315-v1j8dseb61
Target cbfedc43f718fa811669ade61aab7ab0
SHA256 a625bda6c2cf2b558aea45d12aa364c07f0fd634a4562a1de9a19ad04c319b8a
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a625bda6c2cf2b558aea45d12aa364c07f0fd634a4562a1de9a19ad04c319b8a

Threat Level: Known bad

The file cbfedc43f718fa811669ade61aab7ab0 was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-15 17:27

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 17:27

Reported

2024-03-15 17:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

"C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe"

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2924-1-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2924-0-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2924-4-0x0000000000130000-0x0000000000261000-memory.dmp

\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

MD5 49a8fd7e226b9cc240725428b8e392bc
SHA1 b0d42a5ddff4de81adadba2d1901158ccc6ecf10
SHA256 7a17458dd3122f119f6cd16ef4639061bc3ade9ef518bb0a41f88d53ad673f9c
SHA512 038110a67fb484cc0e28d8a3e82e306cc52fff03d30e9198db0a9bff6cb5ec3afa490684b41f836a003b7ac250c605fdc4d374259c13945cd854688d441ea82d

memory/2924-15-0x0000000003740000-0x0000000003C27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

MD5 95fc3c3474728c75081700f23d269e7f
SHA1 a4eca9309a8bd52d5c7deefaf3c8a1958f6917cf
SHA256 8a8070d3304f96f03acc27575372ceb17d9fb28aada7d0a05cb0a1e958cb41f5
SHA512 e048d2db7cf3cdfa6fa77276db80a23e357f2a05ea1428288d5f253cfbc47acd34020b2f41a6637518774db036008a5e25a3f0431ebe21b4164757a01c518b65

memory/2924-14-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

MD5 4f56eda5bc3c030540ee8596690f3d4f
SHA1 ea51cf2d739b4ade2f93cb98e222806913708c35
SHA256 d55bd7d9d1fd9df9a2e00c73ef39061240221403a2d86f132a2ebf91ee1cb520
SHA512 37528af2a5c3608efc5d1424fde3d696cc224753d04850b525682b848fd11e567c17a1a37274a0241a21dccdd91d803be526a75dfb360887bc09466c55ce6dfa

memory/2548-16-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/2548-18-0x0000000001B10000-0x0000000001C41000-memory.dmp

memory/2548-17-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2548-23-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2548-24-0x00000000033F0000-0x0000000003612000-memory.dmp

memory/2924-31-0x0000000003740000-0x0000000003C27000-memory.dmp

memory/2548-32-0x0000000000400000-0x00000000008E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 17:27

Reported

2024-03-15 17:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

"C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe"

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 216.58.212.202:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.135.221.88.in-addr.arpa udp

Files

memory/4368-0-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/4368-1-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/4368-2-0x0000000000400000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe

MD5 8198e7c4e9e71084ed3cc44d8b4a081e
SHA1 7f9c2d366c5e78a544c451980503694994edcfad
SHA256 28ed63d1b70c632b46e9b98da098c77eac5cc9170c4632163ec42ea6ab52b2a5
SHA512 d95b998f58ec598a85c6de8b8273ca76a887659523d380400d84a78e8e49164f8aaabcb3290f8f3bbb9e052ea0d2a67a4cc30c4be415803c90b8f2c7183538f5

memory/4368-13-0x0000000000400000-0x0000000000622000-memory.dmp

memory/4684-14-0x00000000018F0000-0x0000000001A21000-memory.dmp

memory/4684-15-0x0000000000400000-0x0000000000622000-memory.dmp

memory/4684-12-0x0000000000400000-0x00000000008E7000-memory.dmp

memory/4684-21-0x0000000005570000-0x0000000005792000-memory.dmp

memory/4684-20-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4684-28-0x0000000000400000-0x00000000008E7000-memory.dmp