Loading ...

Play interactive tourEdit tour

Analysis Report zeusaes_2.7.6.6.vir

Overview

General Information

Sample Name:zeusaes_2.7.6.6.vir (renamed file extension from vir to exe)
Analysis ID:247696
MD5:0e963c9b8282042690437d69a8ad7395
SHA1:19017d8a1a7c6ded1ca488d31aee23ce58e71ce8
SHA256:1294e6cce4285225612898a4fbc75a640e69dc0f246af698e2c91d48ad2d61b8

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
May initialize a security null descriptor
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • zeusaes_2.7.6.6.exe (PID: 4532 cmdline: 'C:\Users\user\Desktop\zeusaes_2.7.6.6.exe' MD5: 0E963C9B8282042690437D69A8AD7395)
    • zeusaes_2.7.6.6.exe (PID: 4504 cmdline: c:\users\user\desktop\zeusaes_2.7.6.6.exe MD5: 0E963C9B8282042690437D69A8AD7395)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: zeusaes_2.7.6.6.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: zeusaes_2.7.6.6.exeVirustotal: Detection: 81%Perma Link
Source: zeusaes_2.7.6.6.exeMetadefender: Detection: 65%Perma Link
Source: zeusaes_2.7.6.6.exeReversingLabs: Detection: 96%
Machine Learning detection for sampleShow sources
Source: zeusaes_2.7.6.6.exeJoe Sandbox ML: detected
Source: 0.2.zeusaes_2.7.6.6.exe.400000.0.unpackAvira: Label: TR/Spy.Zbot.ajoumea
Source: 1.2.zeusaes_2.7.6.6.exe.400000.0.unpackAvira: Label: TR/Kazy.MK
Source: 1.0.zeusaes_2.7.6.6.exe.400000.0.unpackAvira: Label: TR/Spy.Zbot.ajoumea
Source: 0.0.zeusaes_2.7.6.6.exe.400000.0.unpackAvira: Label: TR/Spy.Zbot.ajoumea
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040C6D7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_0040C6D7
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00415FD3 CryptUnprotectData,LocalFree,1_2_00415FD3
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00414161 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,1_2_00414161
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00411487 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,1_2_00411487
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0041A04A ResetEvent,InternetSetStatusCallbackW,InternetSetStatusCallbackW,InternetReadFileExA,GetLastError,InternetSetStatusCallbackW,1_2_0041A04A
Source: zeusaes_2.7.6.6.exeString found in binary or memory: http://smusicsoft.com/stat/stat.php?id=1
Source: zeusaes_2.7.6.6.exe, 00000001.00000002.457622544.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://smusicsoft.com/stat/stat.php?id=1h
Source: zeusaes_2.7.6.6.exeString found in binary or memory: http://www.google.com/webhp
Source: zeusaes_2.7.6.6.exe, 00000001.00000002.457622544.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.google.com/webhpbcnspr4.dllPR_OpenTCPSocketPR_ClosePR_ReadPR_Write
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_004065DC GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,1_2_004065DC
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00406474 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,1_2_00406474
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00415724 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore,1_2_00415724
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0041AB39 NtQueryInformationProcess,CloseHandle,NtCreateThread,1_2_0041AB39
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0041ABFC NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,1_2_0041ABFC
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040D72F LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,1_2_0040D72F
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040A80E InitiateSystemShutdownExW,ExitWindowsEx,1_2_0040A80E
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040918A CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,OpenMutexW,GetFileAttributesExW,ReadProcessMemory,CloseHandle,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualProtect,VirtualProtect,VirtualProtect,VirtualFree,VirtualProtect,VirtualProtect,VirtualProtect,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,1_2_0040918A
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_00404D700_2_00404D70
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_004047D00_2_004047D0
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_004054E00_2_004054E0
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_004054F90_2_004054F9
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_00404F800_2_00404F80
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040C5E31_2_0040C5E3
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040CD841_2_0040CD84
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00412E251_2_00412E25
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040CADD1_2_0040CADD
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040EB1B1_2_0040EB1B
Source: classification engineClassification label: mal84.evad.winEXE@3/0@0/1
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00412441 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,1_2_00412441
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_004125B4 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,1_2_004125B4
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040D4D6 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,1_2_0040D4D6
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040D47F CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,1_2_0040D47F
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00415D2C CoCreateInstance,1_2_00415D2C
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: zeusaes_2.7.6.6.exeVirustotal: Detection: 81%
Source: zeusaes_2.7.6.6.exeMetadefender: Detection: 65%
Source: zeusaes_2.7.6.6.exeReversingLabs: Detection: 96%
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeFile read: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\zeusaes_2.7.6.6.exe 'C:\Users\user\Desktop\zeusaes_2.7.6.6.exe'
Source: unknownProcess created: C:\Users\user\Desktop\zeusaes_2.7.6.6.exe c:\users\user\desktop\zeusaes_2.7.6.6.exe
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeProcess created: C:\Users\user\Desktop\zeusaes_2.7.6.6.exe c:\users\user\desktop\zeusaes_2.7.6.6.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeUnpacked PE file: 1.2.zeusaes_2.7.6.6.exe.400000.0.unpack .code:ER;.text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeUnpacked PE file: 1.2.zeusaes_2.7.6.6.exe.400000.0.unpack
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0x6E770278 [Sat Sep 23 03:39:36 2028 UTC]
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_00401419 MessageBoxA,LoadLibraryA,GetProcAddress,ExitProcess,HeapDestroy,ExitProcess,0_2_00401419
Source: zeusaes_2.7.6.6.exeStatic PE information: section name: .code
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_004030CA push eax; mov dword ptr [esp], 00000000h0_2_004030D0
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_004020F4 push eax; mov dword ptr [esp], 00000000h0_2_004020FA
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_004144C0 push 121AE8CBh; iretd 1_2_00414555
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0041451F push 121AE8CBh; iretd 1_2_00414555
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00414676 push ecx; ret 1_2_00414677
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00413307 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,1_2_00413307
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00411487 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,1_2_00411487
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0041AD37 LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection,1_2_0041AD37
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 0_2_00401419 MessageBoxA,LoadLibraryA,GetProcAddress,ExitProcess,HeapDestroy,ExitProcess,0_2_00401419
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_004080CF mov edx, dword ptr fs:[00000030h]1_2_004080CF
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040840D GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,CreateEventW,CreateEventW,GetLengthSid,GetCurrentProcessId,1_2_0040840D
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeMemory written: C:\Users\user\Desktop\zeusaes_2.7.6.6.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeProcess created: C:\Users\user\Desktop\zeusaes_2.7.6.6.exe c:\users\user\desktop\zeusaes_2.7.6.6.exeJump to behavior
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040F384 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,1_2_0040F384
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_00412441 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,1_2_00412441
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_004148BE GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,1_2_004148BE
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040B3BC GetTimeZoneInformation,1_2_0040B3BC
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0041384F GetVersionExW,1_2_0041384F
Source: zeusaes_2.7.6.6.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040F1B5 socket,bind,closesocket,1_2_0040F1B5
Source: C:\Users\user\Desktop\zeusaes_2.7.6.6.exeCode function: 1_2_0040EF0C socket,bind,listen,closesocket,1_2_0040EF0C

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API1Valid Accounts1Valid Accounts1Valid Accounts1Input Capture11Network Share Discovery1Remote File Copy1Input Capture11Data Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaService ExecutionApplication Shimming1Access Token Manipulation11Software Packing21Network SniffingSystem Time Discovery2Remote ServicesClipboard Data1Exfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesProcess Injection111Access Token Manipulation11Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareApplication Shimming1Timestomp1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection111Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceInstall Root Certificate1Brute ForceSecurity Software Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information1Two-Factor Authentication InterceptionFile and Directory Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery4Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.