Analysis Report eUTopTYPuc

Overview

General Information

Sample Name: eUTopTYPuc (renamed file extension from none to exe)
Analysis ID: 349662
MD5: 09580ec10df3398ce68c176121fbba66
SHA1: d86cc8b0439b75ffecf6df985161c81f028a6fe2
SHA256: 06a0b2c3fc763506f6340dc4f582f7980378f7ededfb807541afeeca0499d8cd
Tags: uncategorized

Most interesting Screenshot:

Detection

ZeusVM
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected ZeusVM e-Banking Trojan
Multi AV Scanner detection for submitted file
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
May initialize a security null descriptor
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: eUTopTYPuc.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: eUTopTYPuc.exe Virustotal: Detection: 91% Perma Link
Source: eUTopTYPuc.exe Metadefender: Detection: 78% Perma Link
Source: eUTopTYPuc.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: eUTopTYPuc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.eUTopTYPuc.exe.400000.0.unpack Avira: Label: TR/Spy.Zbot.aoqb.5
Source: 0.2.eUTopTYPuc.exe.400000.0.unpack Avira: Label: TR/Spy.Zbot.aoqb.5

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00417429 CryptUnprotectData,LocalFree, 0_2_00417429
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040812A CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_0040812A

Compliance:

barindex
Uses 32bit PE files
Source: eUTopTYPuc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

barindex
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0041628F GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 0_2_0041628F
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040C4F3 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0040C4F3
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040C5AE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0040C5AE
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00408C27 WaitForSingleObject,InternetReadFile, 0_2_00408C27
Source: eUTopTYPuc.exe String found in binary or memory: http://www.google.com/webhp
Source: eUTopTYPuc.exe String found in binary or memory: http://www.google.com/webhpbcSeShutdownPrivilegeRFB

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00404D18 GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore, 0_2_00404D18
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00405CE7 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage, 0_2_00405CE7

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0041D132 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, 0_2_0041D132
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040EF1F OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation, 0_2_0040EF1F

System Summary:

barindex
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_004087A7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_004087A7
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040F429 InitiateSystemShutdownExW,ExitWindowsEx, 0_2_0040F429
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_004136AC CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_004136AC
Detected potential crypto function
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00402823 0_2_00402823
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00408036 0_2_00408036
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_004117CB 0_2_004117CB
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00409BD8 0_2_00409BD8
Uses 32bit PE files
Source: eUTopTYPuc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal72.bank.troj.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0041A581 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 0_2_0041A581
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0041A6F6 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_0041A6F6
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00408551 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_00408551
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_004084FA CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle, 0_2_004084FA
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00417185 CoCreateInstance, 0_2_00417185
Source: eUTopTYPuc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: eUTopTYPuc.exe Virustotal: Detection: 91%
Source: eUTopTYPuc.exe Metadefender: Detection: 78%
Source: eUTopTYPuc.exe ReversingLabs: Detection: 96%

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_004178F9 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_004178F9
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00403143 push cs; ret 0_2_00403158
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00403179 push cs; iretd 0_2_00403188
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00402AAD push es; iretd 0_2_00402ABC

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00411FB9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_00411FB9

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040C4F3 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0040C4F3
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040C5AE FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0040C5AE

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_004178F9 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_004178F9
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00412738 mov edx, dword ptr fs:[00000030h] 0_2_00412738
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00412A7D GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId, 0_2_00412A7D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040A474 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 0_2_0040A474
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0041AC79 RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetLocalTime, 0_2_0041AC79
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0041A525 GetUserNameExW, 0_2_0041A525
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00406FAF GetTimeZoneInformation, 0_2_00406FAF
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00413002 GetComputerNameW,GetVersionExW,RegOpenKeyExW, 0_2_00413002

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptor
Source: eUTopTYPuc.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)
Source: eUTopTYPuc.exe String found in binary or memory: RFB 003.003
Source: eUTopTYPuc.exe String found in binary or memory: RFB 003.003
Source: eUTopTYPuc.exe, 00000000.00000000.203019463.0000000000401000.00000020.00020000.sdmp String found in binary or memory: scriptnbsp;Basic tmp%s%08x.%s%s%08x*SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME.tmphttp://www.google.com/webhpbcSeShutdownPrivilegeRFB 003.003
Source: eUTopTYPuc.exe String found in binary or memory: RFB 003.003
Source: eUTopTYPuc.exe String found in binary or memory: scriptnbsp;Basic tmp%s%08x.%s%s%08x*SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME.tmphttp://www.google.com/webhpbcSeShutdownPrivilegeRFB 003.003
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_0040A2A5 socket,bind,closesocket, 0_2_0040A2A5
Source: C:\Users\user\Desktop\eUTopTYPuc.exe Code function: 0_2_00409FC7 socket,bind,listen,closesocket, 0_2_00409FC7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349662 Sample: eUTopTYPuc Startdate: 07/02/2021 Architecture: WINDOWS Score: 72 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 Contains VNC / remote desktop functionality (version string found) 2->14 5 eUTopTYPuc.exe 2->5         started        process3 signatures4 16 Detected ZeusVM e-Banking Trojan 5->16
No contacted IP infos