Malware Analysis Report

2025-01-22 18:58

Sample ID 240317-d1d8psdd43
Target cfcf03e542480fb6ed96b729d2b5beff
SHA256 1936713a6318021fbd5a0893483bc671804117d5c6ac3fb4566cf0eb66326bb6
Tags
upx isfb gozi banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1936713a6318021fbd5a0893483bc671804117d5c6ac3fb4566cf0eb66326bb6

Threat Level: Known bad

The file cfcf03e542480fb6ed96b729d2b5beff was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi banker trojan

Gozi

Gozi family

Executes dropped EXE

Loads dropped DLL

Deletes itself

UPX packed file

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-17 03:28

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 03:28

Reported

2024-03-17 03:30

Platform

win7-20240221-en

Max time kernel

118s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe"

Signatures

Gozi

banker trojan gozi

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

"C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe"

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1812-0-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1812-2-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1812-4-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

MD5 5154bd1fd30757b74adbc3f1b245731f
SHA1 c97003fd5b3f1fadc0948576dc037e67121d6fe5
SHA256 c07a377acf55b255dda36ef952ed501ccfc8de940772de42a50caff880f285ac
SHA512 8a19e2f1c2e2b3aad1c2b87bafa39782919770a8050dfc630109d25ab8bf880c33b8963a624997bd27637afd578547b66dede689efe7844759a73324ae322553

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

MD5 99bb5477577220171d06951028e05c3d
SHA1 0e32054d89299653ccc0918dd1858b6a7280b2f4
SHA256 58130ffb586abd80fb7145b9bbe59df6e2b8f222469ddb52d358f9098e90f2af
SHA512 1183ed2a73c28d8600e805eb6f120832fe87ab7dc768011c7d396079d723913cfead1dc373372c9bf25b3eedd5994cc5afc85365b992c656cf72c10980a91bcc

memory/2772-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1812-14-0x0000000003E60000-0x000000000434F000-memory.dmp

memory/1812-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

MD5 b15511522a2e5f2572e36f2a20410458
SHA1 7c4f078761f806aa9f5345312f2e5c7f92a4e08b
SHA256 6c7114bd47773b1de6c4a190d9be32576b30208454442c49d4671cd6b0223764
SHA512 012f359814f9df7006434e7ea2f389c2f906e94bb67ae257aa407ef86e0f201622c72d1280977d1d4760f636e7cb705de580fde72171ede314b4d11b3e62b3a4

memory/2772-18-0x00000000002C0000-0x00000000003F3000-memory.dmp

memory/2772-17-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2772-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2772-25-0x00000000036E0000-0x000000000390A000-memory.dmp

memory/1812-31-0x0000000003E60000-0x000000000434F000-memory.dmp

memory/2772-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 03:28

Reported

2024-03-17 03:30

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

"C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe"

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4984-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4984-1-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/4984-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe

MD5 90884e49d89bb4b4cbaad31a704bb0a1
SHA1 19a4846ecd77d5760c6081b1ccfa5407675b91d1
SHA256 e6b382a4a7a957b01f5aa77cf365fbcb04cf6a747890a57e569d0ca882ae3217
SHA512 e9d86a489cf46a40b31ea92a5be1c441c8fa030668610ea08778320d507a48089a12a82168d62255a0e499308113f0ebdc37908160f4700c2e6de10af1df1393

memory/4984-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3804-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3804-16-0x0000000001DA0000-0x0000000001ED3000-memory.dmp

memory/3804-14-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/3804-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3804-21-0x00000000056A0000-0x00000000058CA000-memory.dmp

memory/3804-29-0x0000000000400000-0x00000000008EF000-memory.dmp