Malware Analysis Report

2025-01-22 18:58

Sample ID 240317-bwhdfsbb85
Target cf94c09e9d49150a8d64edf15b455718
SHA256 8fa615934e98989128a0740ed48aabe50b857304a07a3f09a8572c10d70f2828
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fa615934e98989128a0740ed48aabe50b857304a07a3f09a8572c10d70f2828

Threat Level: Known bad

The file cf94c09e9d49150a8d64edf15b455718 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Loads dropped DLL

UPX packed file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-17 01:29

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 01:29

Reported

2024-03-17 01:32

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

"C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe"

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2684-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2684-2-0x0000000000280000-0x00000000003B3000-memory.dmp

memory/2684-0-0x0000000000400000-0x00000000008EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

MD5 10918f6a0330d30a8f62e3e35ac5f5a1
SHA1 256d878193f8ae218781d92a1d9481ce23ee4e5a
SHA256 91cb135ca90c0e87ba1d9f0fc357dc4ee3944578638e35cd55c255c47ac06bee
SHA512 83d414553dce4f04f1f40e194dfdcfb5455621e5a602ca455b6bfc7dd596ee7a83c1dbacc41b85e6501dfaa6f2fda9247cd41ea1aa1621d4d7f4550fc1c7fb96

memory/2684-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2976-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2976-16-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

MD5 26129fb58630e1a0f46147af02f78fd1
SHA1 5ae374fa131b5c5225b703700ba706409967d9eb
SHA256 c2784d9b2b764843a60d5962d303ae605ca384cfa646daff99fc57e6cce97358
SHA512 a99f6d99dcca76c1c2afa98edd252e00a0899520c6d2f58276ade7138f3de0c2de8f31c3fd13a48eca8bd905b2966b53d5870e5c80455ca6ad0a19172394c78d

memory/2684-13-0x0000000003650000-0x0000000003B3F000-memory.dmp

memory/2976-19-0x0000000000130000-0x0000000000263000-memory.dmp

memory/2976-24-0x0000000003400000-0x000000000362A000-memory.dmp

memory/2976-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2684-31-0x0000000003650000-0x0000000003B3F000-memory.dmp

memory/2976-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 01:29

Reported

2024-03-17 01:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

"C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe"

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp

Files

memory/3392-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3392-1-0x0000000001BF0000-0x0000000001D23000-memory.dmp

memory/3392-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cf94c09e9d49150a8d64edf15b455718.exe

MD5 30b2087af1d265a4f7532e5f40771ff9
SHA1 c2c5382d05ba04981c0474557d228c182d5c63ca
SHA256 fa0263d0e27311b473273eee95be992fb3f5a154661660f7d3005b7dd264bdaf
SHA512 951fac85a200356bef75fb12089240cf77decd717d13c6ea91eb1b784b6bac6c44b7431f632added0daebb5ae41e954d51c0d19b294e0064df6ed6fac720b333

memory/3392-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/5052-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/5052-16-0x0000000001D50000-0x0000000001E83000-memory.dmp

memory/5052-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/5052-20-0x0000000005650000-0x000000000587A000-memory.dmp

memory/5052-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/5052-28-0x0000000000400000-0x00000000008EF000-memory.dmp