Malware Analysis Report

2025-01-22 18:50

Sample ID 240316-z3f1zacd4x
Target cf166c2b80996bf38ef72d5688a7faca
SHA256 235991df38888107f40151fdb491f2f92c78c8c9d87fcc23c7d574b572c53c7c
Tags
upx gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

235991df38888107f40151fdb491f2f92c78c8c9d87fcc23c7d574b572c53c7c

Threat Level: Known bad

The file cf166c2b80996bf38ef72d5688a7faca was found to be: Known bad.

Malicious Activity Summary

upx gozi banker isfb trojan

Gozi

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-16 21:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 21:14

Reported

2024-03-16 21:16

Platform

win7-20240221-en

Max time kernel

117s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

"C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe"

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/3048-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3048-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3048-2-0x0000000000130000-0x0000000000263000-memory.dmp

\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

MD5 51383ffbc7da18575021a71e7247e535
SHA1 325de6c10cf0363a36c5d2bd064bc5ae2044be98
SHA256 2e8aa4b6a897795c04d07d9743c2831cc2d6104f1d2885374429fb8851d42e7a
SHA512 8bedf8ab462fcf07963ab9f6bf252d2449489818b2a9657461eb6d699d0a6aa2da0044a11a939983b70ab091e101bffa26fcf84f5fb08f309bb32b463a8c875a

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

MD5 f425263df099a6d9b111f00364cc506f
SHA1 f8bfe402a39a3435f801435f0f5dd07a01408d46
SHA256 9ef3491d4ea47bac46d5a5f469728853b142bb34a633c9ed908855fbfa2f7030
SHA512 d01cde5c26b33fb9ea45cbd03388c28244060138ba609388390d8dea2aac0bc0c05fc6e49e0f270cdeb957389d634808d83aaa096adee114f5088165dd797c14

memory/3048-14-0x0000000003DB0000-0x000000000429F000-memory.dmp

memory/2468-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2468-18-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2468-17-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3048-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2468-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2468-24-0x00000000035A0000-0x00000000037CA000-memory.dmp

memory/2468-31-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 21:14

Reported

2024-03-16 21:17

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

"C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe"

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2896-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2896-1-0x0000000001C60000-0x0000000001D93000-memory.dmp

memory/2896-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe

MD5 e39513159da2f71b8167f64c40f7d724
SHA1 e378c45a0dc020ee6bd8c1909eb837179245dfbb
SHA256 5483bfa059668b6f53a13f961a6e8dd7d030ee5d9151e669f59566bca57bf102
SHA512 9c2d8546927a84753ef63994431bd8eac96290f98a2cfd9fda81601aa889edd124510a999a196fa25ab2db2c6719bd1ce6c27e9e7bedd7cb93e650a187c3bd80

memory/2896-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4756-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4756-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4756-14-0x0000000001CF0000-0x0000000001E23000-memory.dmp

memory/4756-20-0x00000000055F0000-0x000000000581A000-memory.dmp

memory/4756-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/4756-28-0x0000000000400000-0x00000000008EF000-memory.dmp