Malware Analysis Report

2025-03-15 07:28

Sample ID 241120-zngzqatepm
Target 20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161
SHA256 20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161
Tags
gozi banker discovery isfb trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161

Threat Level: Known bad

The file 20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161 was found to be: Known bad.

Malicious Activity Summary

gozi banker discovery isfb trojan upx

Gozi family

Gozi

Executes dropped EXE

Loads dropped DLL

Deletes itself

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 20:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 20:51

Reported

2024-11-20 20:54

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe"

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

"C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe"

C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

Network

N/A

Files

memory/2092-0-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2092-8-0x0000000000030000-0x000000000003E000-memory.dmp

memory/2092-1-0x0000000000400000-0x000000000041B000-memory.dmp

\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

MD5 d9501bf36a9f17fef0a3e87c6c000295
SHA1 961d96c60dbdade172a311dfe47ec5cd79cd0abc
SHA256 1f2f31fa2408ee6c09cc7d54cd7241dff0008c060062896fb5e795ec79e190ec
SHA512 7f7caec09171b7d67d4943afe63ad57a3b3da11e9d5d744cc03ec6737a04b4305b55d49121608c05c64376852c21709dee4c550f63639ccf6676ee0d44e55718

memory/2348-17-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2092-15-0x0000000000160000-0x000000000019A000-memory.dmp

memory/2092-14-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2348-18-0x0000000000030000-0x000000000003E000-memory.dmp

memory/2348-29-0x00000000001F0000-0x000000000020B000-memory.dmp

memory/2348-25-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2348-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2348-30-0x0000000000400000-0x000000000043A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 20:51

Reported

2024-11-20 20:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

"C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe"

C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/852-0-0x0000000000400000-0x000000000043A000-memory.dmp

memory/852-1-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/852-2-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe

MD5 8a296ab9ee3a612cbec835649d4cb5ff
SHA1 153326a06cd7f5cd0fc85e443355ce60908f241d
SHA256 5248eb5245bddb2c2e9eda49a1745613421a4c9fd393688512b5648f3412a56e
SHA512 70b277d50dd8e029e771531de3ef845aa2faac951910db79aca9650c843c975ddd2e82e9d58407b6a531c5ff00025b55f67cf55dd52ece45ff0a488634980278

memory/1756-13-0x0000000000400000-0x000000000043A000-memory.dmp

memory/852-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1756-14-0x00000000000C0000-0x00000000000CE000-memory.dmp

memory/1756-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1756-25-0x00000000001D0000-0x00000000001EB000-memory.dmp

memory/1756-20-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1756-26-0x0000000000400000-0x000000000043A000-memory.dmp