Loading ...

Play interactive tourEdit tour

Analysis Report iceix_1.2.0.0.vir

Overview

General Information

Sample Name:iceix_1.2.0.0.vir (renamed file extension from vir to exe)
Analysis ID:247495
MD5:4581c813cbc584530b75c58c30d8b29b
SHA1:ae17112eff30ff1daacac943e5551a31f7e896a6
SHA256:fa4bd653c43c8c9ce265eba2bd425962752b062fea81327d3cd5338b545d611e

Most interesting Screenshot:

Detection

ZeusVM
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Internet Provider seen in connection with other malware
May initialize a security null descriptor
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • iceix_1.2.0.0.exe (PID: 1396 cmdline: 'C:\Users\user\Desktop\iceix_1.2.0.0.exe' MD5: 4581C813CBC584530B75C58C30D8B29B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: iceix_1.2.0.0.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: iceix_1.2.0.0.exeVirustotal: Detection: 88%Perma Link
Source: iceix_1.2.0.0.exeMetadefender: Detection: 74%Perma Link
Source: iceix_1.2.0.0.exeReversingLabs: Detection: 92%
Machine Learning detection for sampleShow sources
Source: iceix_1.2.0.0.exeJoe Sandbox ML: detected
Source: 0.0.iceix_1.2.0.0.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.iceix_1.2.0.0.exe.21b0000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.iceix_1.2.0.0.exe.400000.0.unpackAvira: Label: TR/Spy.Zbot.aoqb.5
Source: 0.2.iceix_1.2.0.0.exe.510000.1.unpackAvira: Label: TR/Spy.Zbot.aoqb.5
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004089AA CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040FE68 CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040F2BC GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040CEAA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004094C0 WaitForSingleObject,InternetReadFile,
Source: iceix_1.2.0.0.exeString found in binary or memory: http://www.google.com/webhp
Source: iceix_1.2.0.0.exe, 00000000.00000002.463461280.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.google.com/webhpbc-vGetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInf
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00417040 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00416ED3 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking TrojanShow sources
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00412DFC lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00413AD4 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040902B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040E2AD InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041BB9F CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040A471
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004088B6
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00401E13
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041D2AB
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021EB000
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B2425
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B9490
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B350D
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021ECD33
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021EC96B
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B8602
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B7A56
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021EDB1D
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B3F12
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021BC396
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B6C63
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021ED13F
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_021B614E
Source: iceix_1.2.0.0.exeStatic PE information: Number of sections : 11 > 10
Source: iceix_1.2.0.0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: iceix_1.2.0.0.exeBinary or memory string: V0v.sLN:[YZ:X[}VXx^\[E
Source: classification engineClassification label: mal88.bank.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041DC6C CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041DAF7 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00408DD5 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00418813 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040DC14 CoCreateInstance,VariantInit,SysAllocString,VariantClear,
Source: iceix_1.2.0.0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: iceix_1.2.0.0.exeVirustotal: Detection: 88%
Source: iceix_1.2.0.0.exeMetadefender: Detection: 74%
Source: iceix_1.2.0.0.exeReversingLabs: Detection: 92%
Source: iceix_1.2.0.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: I:\JDlqokg\lDjsloln\rjjeREouuL\zjiPPary\tBEfrLkuU.pdb source: iceix_1.2.0.0.exe
Source: Binary string: I:\JDlqokg\lDjsloln\rjjeREouuL\zjiPPary\tBEfrLkuU.pdbH source: iceix_1.2.0.0.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeUnpacked PE file: 0.2.iceix_1.2.0.0.exe.400000.0.unpack .text:ER;.itext:R;.data:W;.form1:R;.form2:W;.form3:R;.form4:R;.info:R;.idata:R;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeUnpacked PE file: 0.2.iceix_1.2.0.0.exe.400000.0.unpack
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040B406 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form1
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form2
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form3
Source: iceix_1.2.0.0.exeStatic PE information: section name: .form4
Source: iceix_1.2.0.0.exeStatic PE information: section name: .info
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040209D push es; iretd
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00402769 push cs; iretd
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00402733 push cs; ret
Source: initial sampleStatic PE information: section name: .text entropy: 7.58246971662
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041557B LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040CEAA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040B406 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,FreeLibrary,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041ACFD mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041B00B GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040AD0D InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041DCBC PFXImportCertStore,GetSystemTime,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_00419580 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_004077CE GetTimeZoneInformation,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0041E058 GetVersionExW,GetNativeSystemInfo,
Source: iceix_1.2.0.0.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)Show sources
Source: iceix_1.2.0.0.exeString found in binary or memory: RFB 003.003
Source: iceix_1.2.0.0.exeString found in binary or memory: RFB 003.003
Source: iceix_1.2.0.0.exe, 00000000.00000002.463461280.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ! *.jpg|*.png|*.css|.gif|*.js|*.bmp|*.tiff|*.ico|*.pdf|*.zip|*.exe|*.msi-.tmphttp://www.google.com/webhpbc-vGetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInformationProcessRtlUserThreadStartLdrLoadDllLdrGetDllHandle.datRFB 003.003
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040A860 socket,bind,listen,closesocket,
Source: C:\Users\user\Desktop\iceix_1.2.0.0.exeCode function: 0_2_0040AB3E socket,bind,closesocket,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API1Create Account1Valid Accounts1Software Packing23Input Capture11System Time Discovery2Remote File Copy1Input Capture11Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface1Valid Accounts1Access Token Manipulation11Obfuscated Files or Information2Network SniffingAccount Discovery1Remote Desktop Protocol1Clipboard Data1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationApplication Shimming1Application Shimming1Valid Accounts1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingAccess Token Manipulation11Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessInstall Root Certificate1Account ManipulationSystem Information Discovery3Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceNetwork Share Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionProcess Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.