Analysis Report GqSL8M2a72

Overview

General Information

Sample Name: GqSL8M2a72 (renamed file extension from none to exe)
Analysis ID: 355735
MD5: 4fc29198fcc9a9fe3b31f7549d54d8e9
SHA1: 5b112c77ea208d570eedaad0d5880e6fc19cffbc
SHA256: 98d8b13f297953a0b4f915e55cd527f0f1461d42b917b77aa99f05446f6fdd12
Tags: uncategorizedZeuS

Most interesting Screenshot:

Detection

ZeusVM
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Contains VNC / remote desktop functionality (version string found)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May initialize a security null descriptor
Program does not show much activity (idle)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: GqSL8M2a72.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: GqSL8M2a72.exe Virustotal: Detection: 86% Perma Link
Source: GqSL8M2a72.exe Metadefender: Detection: 72% Perma Link
Source: GqSL8M2a72.exe ReversingLabs: Detection: 88%
Machine Learning detection for sample
Source: GqSL8M2a72.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.GqSL8M2a72.exe.400000.0.unpack Avira: Label: TR/Kazy.MK
Source: 1.2.GqSL8M2a72.exe.5e0000.1.unpack Avira: Label: TR/Kazy.MK

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 1_2_00401145 HeapAlloc,CryptStringToBinaryA, 1_2_00401145
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0040A14E CryptUnprotectData,LocalFree, 2_2_0040A14E
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041764D CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 2_2_0041764D

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Unpacked PE file: 2.2.GqSL8M2a72.exe.400000.0.unpack
Uses 32bit PE files
Source: GqSL8M2a72.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Spreading:

barindex
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0040969D GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 2_2_0040969D
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041BA18 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 2_2_0041BA18
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041BAD3 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 2_2_0041BAD3
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00406095 getaddrinfo,freeaddrinfo,getsockname,getpeername,recv,recvfrom,getaddrinfo,freeaddrinfo,sendto,recvfrom,sendto,select, 2_2_00406095
Source: GqSL8M2a72.exe String found in binary or memory: http://www.google.com/webhp
Source: GqSL8M2a72.exe, 00000001.00000002.197226170.000000000265E000.00000004.00000040.sdmp String found in binary or memory: http://www.google.com/webhpLb
Source: GqSL8M2a72.exe, 00000002.00000002.197084539.0000000000401000.00000020.00000001.sdmp String found in binary or memory: http://www.google.com/webhpbc

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00405EC6 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, 2_2_00405EC6
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00405D60 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage, 2_2_00405D60
Creates a DirectInput object (often for capturing keystrokes)
Source: GqSL8M2a72.exe, 00000001.00000002.197104411.000000000068A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0040DB94 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, 2_2_0040DB94
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00404C67 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation, 2_2_00404C67

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 1_2_00401326 NtAllocateVirtualMemory, 1_2_00401326
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 1_2_0042656B NtAllocateVirtualMemory, 1_2_0042656B
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 1_2_0042694B CreateProcessW,NtGetContextThread,NtUnmapViewOfSection,SetUnhandledExceptionFilter,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ExitProcess, 1_2_0042694B
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 1_2_0042658E NtSetContextThread,NtResumeProcess, 1_2_0042658E
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00415C2E NtQueryInformationProcess,CloseHandle,NtCreateThread, 2_2_00415C2E
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00415CE5 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle, 2_2_00415CE5
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00415781 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore, 2_2_00415781
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00417CCA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 2_2_00417CCA
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004120CF InitiateSystemShutdownExW,ExitWindowsEx, 2_2_004120CF
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0040F5BB CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 2_2_0040F5BB
Detected potential crypto function
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004190FB 2_2_004190FB
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00417559 2_2_00417559
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00401A63 2_2_00401A63
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00410F8B 2_2_00410F8B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: String function: 0040101D appears 51 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Section loaded: skembuptpwnoq.dll Jump to behavior
Uses 32bit PE files
Source: GqSL8M2a72.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: GqSL8M2a72.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal92.bank.troj.evad.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041D5F1 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 2_2_0041D5F1
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041D766 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 2_2_0041D766
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00417A74 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 2_2_00417A74
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00417A1D CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle, 2_2_00417A1D
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0040A86D CoCreateInstance, 2_2_0040A86D
Source: GqSL8M2a72.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: GqSL8M2a72.exe Virustotal: Detection: 86%
Source: GqSL8M2a72.exe Metadefender: Detection: 72%
Source: GqSL8M2a72.exe ReversingLabs: Detection: 88%
Source: unknown Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe'
Source: unknown Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe'
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe' Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Unpacked PE file: 2.2.GqSL8M2a72.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Unpacked PE file: 2.2.GqSL8M2a72.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00417CCA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 2_2_00417CCA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00401807 push FFFFFFF1h; ret 2_2_00401809
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00401CED push es; iretd 2_2_00401CFC
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004093F2 push esi; iretd 2_2_004093F3
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00402383 push cs; ret 2_2_00402398
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004023B9 push cs; iretd 2_2_004023C8

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00411779 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 2_2_00411779

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041BA18 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 2_2_0041BA18
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041BAD3 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 2_2_0041BAD3
Source: GqSL8M2a72.exe Binary or memory string: O1nvu1ctKOpA7eriBCpw6n8KOmhqynhk5NpS7zt6aKXNOvppepIl6mWFlZ9VmzJrWm5qYtXp1dqSKkm6aK8Vmzcrbmpqbx9S1WWbMGprLmpp1VqSKCp6a+LduuWdG68K5Zs26muC/jZp2OZdOqpqsapqtPoqemuWDjXafAn/umGqki16empi2m46ov4wYt43qmjeNyL9MCL+OmFi3jRo3jfmGq4x4mqCa5EivjOqb2WZNCjuSmL4b7Di/7CiaQt+ampi

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00415E14 LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection, 2_2_00415E14
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00417CCA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 2_2_00417CCA
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0040E636 mov edx, dword ptr fs:[00000030h] 2_2_0040E636
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 1_2_004015DA HeapCreate,GetProcessHeap, 1_2_004015DA
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 1_2_0042694B CreateProcessW,NtGetContextThread,NtUnmapViewOfSection,SetUnhandledExceptionFilter,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ExitProcess, 1_2_0042694B

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Memory written: C:\Users\user\Desktop\GqSL8M2a72.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Process created: C:\Users\user\Desktop\GqSL8M2a72.exe 'C:\Users\user\Desktop\GqSL8M2a72.exe' Jump to behavior
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_00419997 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 2_2_00419997
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004164AA GetSystemTime,SystemTimeToFileTime, 2_2_004164AA
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0041D595 GetUserNameExW, 2_2_0041D595
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004164D2 GetTimeZoneInformation, 2_2_004164D2
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_0040E447 GetVersionExW,GetNativeSystemInfo, 2_2_0040E447

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptor
Source: GqSL8M2a72.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)
Source: GqSL8M2a72.exe String found in binary or memory: RFB 003.003
Source: GqSL8M2a72.exe String found in binary or memory: RFB 003.003
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004194EA socket,bind,listen,closesocket, 2_2_004194EA
Source: C:\Users\user\Desktop\GqSL8M2a72.exe Code function: 2_2_004197C8 socket,bind,closesocket, 2_2_004197C8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355735 Sample: GqSL8M2a72 Startdate: 21/02/2021 Architecture: WINDOWS Score: 92 11 Antivirus / Scanner detection for submitted sample 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Machine Learning detection for sample 2->15 17 Contains VNC / remote desktop functionality (version string found) 2->17 6 GqSL8M2a72.exe 2->6         started        process3 signatures4 19 Detected unpacking (changes PE section rights) 6->19 21 Detected unpacking (overwrites its own PE header) 6->21 23 Detected ZeusVM e-Banking Trojan 6->23 25 Injects a PE file into a foreign processes 6->25 9 GqSL8M2a72.exe 6->9         started        process5
No contacted IP infos