Loading ...

Play interactive tourEdit tour

Analysis Report iceix_1.2.0.0.vir

Overview

General Information

Sample Name:iceix_1.2.0.0.vir (renamed file extension from vir to exe)
Analysis ID:247495
MD5:4581c813cbc584530b75c58c30d8b29b
SHA1:ae17112eff30ff1daacac943e5551a31f7e896a6
SHA256:fa4bd653c43c8c9ce265eba2bd425962752b062fea81327d3cd5338b545d611e

Most interesting Screenshot:

Detection

ZeusVM
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Internet Provider seen in connection with other malware
May initialize a security null descriptor
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • iceix_1.2.0.0.exe (PID: 1396 cmdline: 'C:\Users\user\Desktop\iceix_1.2.0.0.exe' MD5: 4581C813CBC584530B75C58C30D8B29B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: iceix_1.2.0.0.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: iceix_1.2.0.0.exeVirustotal: Detection: 88%Perma Link
Source: iceix_1.2.0.0.exeMetadefender: Detection: 74%Perma Link
Source: iceix_1.2.0.0.exeReversingLabs: Detection: 92%
Machine Learning detection for sampleShow sources
Source: iceix_1.2.0.0.exeJoe Sandbox ML: detected
Source: 0.0.iceix_1.2.0.0.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.iceix_1.2.0.0.exe.21b0000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.iceix_1.2.0.0.exe.400000.0.unpackAvira: Label: TR/Spy.Zbot.aoqb.5
Source: 0.2.iceix_1.2.0.0.exe.510000.1.unpackAvira: Label: TR/Spy.Zbot.aoqb.5
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004089AA CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_004089AA
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040FE68 CryptUnprotectData,LocalFree,0_2_0040FE68
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040F2BC GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,0_2_0040F2BC
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040CEAA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_0040CEAA
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004094C0 WaitForSingleObject,InternetReadFile,0_2_004094C0
Source: iceix_1.2.0.0.exeString found in binary or memory: http://www.google.com/webhp
Source: iceix_1.2.0.0.exe, 00000000.00000002.463461280.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.google.com/webhpbc-vGetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInf
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00417040 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,0_2_00417040
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00416ED3 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,0_2_00416ED3

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking TrojanShow sources
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00412DFC lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,0_2_00412DFC
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00413AD4 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,0_2_00413AD4
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040902B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,0_2_0040902B
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040E2AD InitiateSystemShutdownExW,ExitWindowsEx,0_2_0040E2AD
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041BB9F CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_0041BB9F
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040A4710_2_0040A471
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004088B60_2_004088B6
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00401E130_2_00401E13
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041D2AB0_2_0041D2AB
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021EB0000_2_021EB000
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B24250_2_021B2425
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B94900_2_021B9490
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B350D0_2_021B350D
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021ECD330_2_021ECD33
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021EC96B0_2_021EC96B
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B86020_2_021B8602
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B7A560_2_021B7A56
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021EDB1D0_2_021EDB1D
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B3F120_2_021B3F12
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021BC3960_2_021BC396
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B6C630_2_021B6C63
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021ED13F0_2_021ED13F
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B614E0_2_021B614E
Source: iceix_1.2.0.0.exeStatic PE information: Number of sections : 11 > 10
Source: iceix_1.2.0.0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: iceix_1.2.0.0.exeBinary or memory string: V0v.sLN:[YZ:X[}VXx^\[E
Source: classification engineClassification label: mal88.bank.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041DC6C CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_0041DC6C
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041DAF7 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,0_2_0041DAF7
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00408DD5 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_00408DD5
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00418813 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,0_2_00418813
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040DC14 CoCreateInstance,VariantInit,SysAllocString,VariantClear,0_2_0040DC14
Source: iceix_1.2.0.0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: iceix_1.2.0.0.exeVirustotal: Detection: 88%
Source: iceix_1.2.0.0.exeMetadefender: Detection: 74%
Source: iceix_1.2.0.0.exeReversingLabs: Detection: 92%
Source: iceix_1.2.0.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: I:\JDlqokg\lDjsloln\rjjeREouuL\zjiPPary\tBEfrLkuU.pdb source: iceix_1.2.0.0.exe
Source: Binary string: I:\JDlqokg\lDjsloln\rjjeREouuL\zjiPPary\tBEfrLkuU.pdbH source: iceix_1.2.0.0.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeUnpacked PE file: 0.2.iceix_1.2.0.0.exe.400000.0.unpack .text:ER;.itext:R;.data:W;.form1:R;.form2:W;.form3:R;.form4:R;.info:R;.idata:R;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeUnpacked PE file: 0.2.iceix_1.2.0.0.exe.400000.0.unpack
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040B406 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,0_2_0040B406
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form1
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form2
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form3
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form4
Source: iceix_1.2.0.0.exeStatic PE information: section name: .info
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040209D push es; iretd 0_2_004020AC
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00402769 push cs; iretd 0_2_00402778
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00402733 push cs; ret 0_2_00402748
Source: initial sampleStatic PE information: section name: .text entropy: 7.58246971662
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041557B LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_0041557B
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040CEAA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_0040CEAA
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040B406 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,0_2_0040B406
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041ACFD mov edx, dword ptr fs:[00000030h]0_2_0041ACFD
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041B00B GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,0_2_0041B00B
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040AD0D InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,0_2_0040AD0D
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041DCBC PFXImportCertStore,GetSystemTime,0_2_0041DCBC
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00419580 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,0_2_00419580
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004077CE GetTimeZoneInformation,0_2_004077CE
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041E058 GetVersionExW,GetNativeSystemInfo,0_2_0041E058
Source: iceix_1.2.0.0.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)Show sources
Source: iceix_1.2.0.0.exeString found in binary or memory: RFB 003.003
Source: iceix_1.2.0.0.exeString found in binary or memory: RFB 003.003
Source: iceix_1.2.0.0.exe, 00000000.00000002.463461280.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ! *.jpg|*.png|*.css|.gif|*.js|*.bmp|*.tiff|*.ico|*.pdf|*.zip|*.exe|*.msi-.tmphttp://www.google.com/webhpbc-vGetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInformationProcessRtlUserThreadStartLdrLoadDllLdrGetDllHandle.datRFB 003.003
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040A860 socket,bind,listen,closesocket,0_2_0040A860
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040AB3E socket,bind,closesocket,0_2_0040AB3E

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API1Create Account1Valid Accounts1Software Packing23Input Capture11System Time Discovery2Remote File Copy1Input Capture11Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface1Valid Accounts1Access Token Manipulation11Obfuscated Files or Information2Network SniffingAccount Discovery1Remote Desktop Protocol1Clipboard Data1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationApplication Shimming1Application Shimming1Valid Accounts1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingAccess Token Manipulation11Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessInstall Root Certificate1Account ManipulationSystem Information Discovery3Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceNetwork Share Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionProcess Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.