Malware Analysis Report

2025-01-22 17:18

Sample ID 241006-px85fsyerh
Target test2.sh
SHA256 bb48e21f6cf72207b4e0ac0e1de5ad391527d1e808bc754c735de3859f95eee9
Tags
upx gozi banker discovery isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb48e21f6cf72207b4e0ac0e1de5ad391527d1e808bc754c735de3859f95eee9

Threat Level: Known bad

The file test2.sh was found to be: Known bad.

Malicious Activity Summary

upx gozi banker discovery isfb trojan

Gozi

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 12:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 12:43

Reported

2024-10-06 12:46

Platform

win7-20240708-en

Max time kernel

140s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test2.exe"

Signatures

Gozi

banker trojan gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\test2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\test2.exe

"C:\Users\Admin\AppData\Local\Temp\test2.exe"

Network

Country Destination Domain Proto
CN 60.204.232.46:3232 tcp
CN 60.204.232.46:3232 tcp
CN 60.204.232.46:3232 tcp
CN 60.204.232.46:3232 tcp
CN 60.204.232.46:3232 tcp

Files

memory/1900-0-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-2-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-4-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-5-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-9-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-10-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-12-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-13-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-15-0x0000000000160000-0x0000000000BB9000-memory.dmp

memory/1900-16-0x0000000000160000-0x0000000000BB9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 12:43

Reported

2024-10-06 12:46

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test2.exe"

Signatures

Gozi

banker trojan gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\test2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\test2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\test2.exe C:\Users\Admin\AppData\Local\Temp\test2.exe
PID 3920 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\test2.exe C:\Users\Admin\AppData\Local\Temp\test2.exe
PID 3920 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\test2.exe C:\Users\Admin\AppData\Local\Temp\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\test2.exe

"C:\Users\Admin\AppData\Local\Temp\test2.exe"

C:\Users\Admin\AppData\Local\Temp\test2.exe

C:\Users\Admin\AppData\Local\Temp\test2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 60.204.232.46:3232 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CN 60.204.232.46:3232 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CN 60.204.232.46:3232 tcp
CN 60.204.232.46:3232 tcp
CN 60.204.232.46:3232 tcp

Files

memory/3920-0-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-2-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/3920-3-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-4-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-6-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-7-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-10-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-11-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-13-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-14-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-16-0x0000000000D50000-0x00000000017A9000-memory.dmp

memory/1036-17-0x0000000000D50000-0x00000000017A9000-memory.dmp