Malware Analysis Report

2025-01-22 18:50

Sample ID 240316-qy7tfseb23
Target ce318a1a4e653e0e2bf3fdaa7fbd8abf
SHA256 b363eede841cd4e93e2951ad418e7f54ccb3dfa432c5fd36af1fd0b565f71ba1
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b363eede841cd4e93e2951ad418e7f54ccb3dfa432c5fd36af1fd0b565f71ba1

Threat Level: Known bad

The file ce318a1a4e653e0e2bf3fdaa7fbd8abf was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-16 13:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 13:41

Reported

2024-03-16 13:43

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

"C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe"

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/2076-2-0x00000000002A0000-0x00000000003D3000-memory.dmp

memory/2076-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2076-0-0x0000000000400000-0x00000000008EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

MD5 c192c8ed5bee5db2b7d64cc633e9919c
SHA1 6e8af141b2a1f1405e87a028ede458e2e8c4332a
SHA256 bc5f9060321ad2cf99615da21e17e30e8dc4edfdf89ced13b82ed236074e5830
SHA512 d2048a32defcbfc52d99c6b306996814b0ea036007596c495eca8d84cf014daeeeccf25d8b543c142ba48bc8b971310c27a2f4560b182612f4036ccf48ab1a19

\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

MD5 c4649b10fa8acd1f0f95a32c447941f8
SHA1 db967bb6c3123e8b2b9fa290bd34981c5eb2ec80
SHA256 8c60825815d62e7300c674100fd10123e2585cccc0e47a2d57d58e04842cb03c
SHA512 22341c6ae7d1ce269e5ec24848eadd5abeceb23807bd14c4861e261cffc66b9843489e4214ff86b0ce8dd3c2f1b378e64c26e111fc73d8ca4502647ab45fdf56

memory/2076-14-0x0000000003AA0000-0x0000000003F8F000-memory.dmp

memory/2884-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2076-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

MD5 14e008214017dba0b8c7868c3dd369e6
SHA1 699ee801a9b60602a3d6a048921779bffb196d89
SHA256 5eb7f2b88aac0a6793722412977a82225baaaa6c8aa9f723797b6058160912ad
SHA512 b90b7afac6d1a92fa5e4227941e682c9f0e9668c6fe0c0058c81584e4ba67dcca5397a4b3f5f16a6334a765eec65a2de489187db292030bf3b1d4cd628d8a87e

memory/2884-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2884-20-0x0000000000230000-0x0000000000363000-memory.dmp

memory/2884-24-0x00000000034C0000-0x00000000036EA000-memory.dmp

memory/2884-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2076-31-0x0000000003AA0000-0x0000000003F8F000-memory.dmp

memory/2884-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 13:41

Reported

2024-03-16 13:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

"C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe"

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/3880-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3880-1-0x0000000001CA0000-0x0000000001DD3000-memory.dmp

memory/3880-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe

MD5 e5f91ed3ed68bf8697d3753640f52f6f
SHA1 ca25e10b28c82f82c00a2f9b123610fe9aea2d6f
SHA256 2ca51ea93cee41cea95651fa6ab9de69f85046147aa09fd3d2bb9e4fe403a7c9
SHA512 e6bc635c573228fed19418257fcf7459ea567f57ac89d20bed75275cc27953f99502358e701df277ca169d82afd4b2432bfe1c893c5fb2b0a9f0513844ee1121

memory/3880-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3300-14-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3300-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3300-16-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/3300-21-0x0000000005690000-0x00000000058BA000-memory.dmp

memory/3300-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3300-29-0x0000000000400000-0x00000000008EF000-memory.dmp