Loading ...

Play interactive tourEdit tour

Analysis Report zeus 1_1.3.3.6.vir

Overview

General Information

Sample Name:zeus 1_1.3.3.6.vir (renamed file extension from vir to exe)
Analysis ID:247352
MD5:37b593c8e58ab5a3a10c0ff8918dc92f
SHA1:9b8895a9461fcfd636536417f0564b2ea02568a6
SHA256:baa8f2980a3a3a98c8841ebbdedde17688cc1464094d02c9c1e4b3bcda950438

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Creates files inside the system directory
Enables debug privileges
One or more processes crash
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • zeus 1_1.3.3.6.exe (PID: 4700 cmdline: 'C:\Users\user\Desktop\zeus 1_1.3.3.6.exe' MD5: 37B593C8E58AB5A3A10C0FF8918DC92F)
    • WerFault.exe (PID: 4988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 368 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: zeus 1_1.3.3.6.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: zeus 1_1.3.3.6.exeVirustotal: Detection: 83%Perma Link
Source: zeus 1_1.3.3.6.exeMetadefender: Detection: 66%Perma Link
Source: zeus 1_1.3.3.6.exeReversingLabs: Detection: 93%
Machine Learning detection for sampleShow sources
Source: zeus 1_1.3.3.6.exeJoe Sandbox ML: detected
Source: 0.0.zeus 1_1.3.3.6.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\zeus 1_1.3.3.6.exeCode function: 0_2_00405928 GetSystemMetrics,GetTickCount,GetObjectW,NtdllDefWindowProc_W,SleepEx,MoveToEx,GetDC,GetWindowRect,VirtualAllocEx,
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 368
Source: zeus 1_1.3.3.6.exe, 00000000.00000000.428614840.0000000000433000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWsO.exe\ vs zeus 1_1.3.3.6.exe
Source: zeus 1_1.3.3.6.exeBinary or memory string: OriginalFilenameWsO.exe\ vs zeus 1_1.3.3.6.exe
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: classification engineClassification label: mal60.winEXE@2/4@0/1
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4700
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF85B.tmpJump to behavior
Source: zeus 1_1.3.3.6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zeus 1_1.3.3.6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: zeus 1_1.3.3.6.exeVirustotal: Detection: 83%
Source: zeus 1_1.3.3.6.exeMetadefender: Detection: 66%
Source: zeus 1_1.3.3.6.exeReversingLabs: Detection: 93%
Source: unknownProcess created: C:\Users\user\Desktop\zeus 1_1.3.3.6.exe 'C:\Users\user\Desktop\zeus 1_1.3.3.6.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 368
Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
Source: C:\Users\user\Desktop\zeus 1_1.3.3.6.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\zeus 1_1.3.3.6.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Masquerading1Credential DumpingVirtualization/Sandbox Evasion2Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionModify Registry1Input CaptureSecurity Software Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion2Credentials in FilesSystem Information Discovery11Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.