Analysis Report K8nV75e45o

Overview

General Information

Sample Name: K8nV75e45o (renamed file extension from none to exe)
Analysis ID: 376941
MD5: b4bd8726c7a17ed5d3e99069a8e5872c
SHA1: 5f69352894ed9a03ad1aac338605e823802545ee
SHA256: fdaba3f0e49475409607ec915599d216ef30351eb34e6c52716a74921285c994
Tags: uncategorized
Infos:

Most interesting Screenshot:

Detection

ZeusVM
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected ZeusVM e-Banking Trojan
Multi AV Scanner detection for submitted file
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
May initialize a security null descriptor
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: K8nV75e45o.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: K8nV75e45o.exe Virustotal: Detection: 90% Perma Link
Source: K8nV75e45o.exe Metadefender: Detection: 89% Perma Link
Source: K8nV75e45o.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: K8nV75e45o.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.K8nV75e45o.exe.400000.0.unpack Avira: Label: TR/Kazy.MK
Source: 0.0.K8nV75e45o.exe.400000.0.unpack Avira: Label: TR/Kazy.MK

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00412C9A CryptUnprotectData,LocalFree, 0_2_00412C9A
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_004176C6 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_004176C6

Compliance:

barindex
Uses 32bit PE files
Source: K8nV75e45o.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

barindex
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040EECB GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 0_2_0040EECB
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041BA9D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0041BA9D
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041BB58 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0041BB58
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041201E InternetReadFileExA, 0_2_0041201E
Source: K8nV75e45o.exe String found in binary or memory: http://www.google.com/webhp
Source: K8nV75e45o.exe String found in binary or memory: http://www.google.com/webhpbc.exe-f

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_004098BE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore, 0_2_004098BE
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041618F EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage, 0_2_0041618F

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041D159 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, 0_2_0041D159
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00405A43 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation, 0_2_00405A43

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_004098BE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore, 0_2_004098BE
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00412245 NtQueryInformationProcess,CloseHandle,NtCreateThread, 0_2_00412245
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_004122FC NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle, 0_2_004122FC
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00417D43 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_00417D43
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040BA8F InitiateSystemShutdownExW,ExitWindowsEx, 0_2_0040BA8F
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00406F85 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00406F85
Detected potential crypto function
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00419174 0_2_00419174
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_004175D2 0_2_004175D2
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_004021F3 0_2_004021F3
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040AE91 0_2_0040AE91
Uses 32bit PE files
Source: K8nV75e45o.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal72.bank.troj.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040C0B2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 0_2_0040C0B2
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040C227 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_0040C227
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00417AED GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_00417AED
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00417A96 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle, 0_2_00417A96
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041C8C2 CoCreateInstance,VariantInit,SysAllocString,VariantClear, 0_2_0041C8C2
Source: K8nV75e45o.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\K8nV75e45o.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: K8nV75e45o.exe Virustotal: Detection: 90%
Source: K8nV75e45o.exe Metadefender: Detection: 89%
Source: K8nV75e45o.exe ReversingLabs: Detection: 96%

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00418469 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_00418469
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040247D push es; iretd 0_2_0040248C
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00402B49 push cs; iretd 0_2_00402B58
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00402B13 push cs; ret 0_2_00402B28

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040F20F LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_0040F20F

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041BA9D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0041BA9D
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041BB58 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0041BB58

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00412425 LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection, 0_2_00412425
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00418469 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_00418469
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00406015 mov edx, dword ptr fs:[00000030h] 0_2_00406015
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040635A GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId, 0_2_0040635A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00419A10 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 0_2_00419A10
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040C0B2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 0_2_0040C0B2
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040C056 GetUserNameExW, 0_2_0040C056
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0041654B GetTimeZoneInformation, 0_2_0041654B
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_0040745C GetVersionExW,GetNativeSystemInfo, 0_2_0040745C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptor
Source: K8nV75e45o.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)
Source: K8nV75e45o.exe String found in binary or memory: RFB 003.003
Source: K8nV75e45o.exe String found in binary or memory: RFB 003.003
Source: K8nV75e45o.exe, 00000000.00000000.202422865.0000000000401000.00000020.00020000.sdmp String found in binary or memory: $GetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInformationProcessRtlUserThreadStartLdrLoadDllLdrGetDllHandleSOFTWARE\Microsoft.dat0xB268B1AD#SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME-vnspr4.dllPR_OpenTCPSocketPR_ClosePR_ReadPR_WriteRFB 003.003
Source: K8nV75e45o.exe String found in binary or memory: RFB 003.003
Source: K8nV75e45o.exe String found in binary or memory: $GetProcAddressLoadLibraryANtCreateThreadNtCreateUserProcessNtQueryInformationProcessRtlUserThreadStartLdrLoadDllLdrGetDllHandleSOFTWARE\Microsoft.dat0xB268B1AD#SysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXME-vnspr4.dllPR_OpenTCPSocketPR_ClosePR_ReadPR_WriteRFB 003.003
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00419841 socket,bind,closesocket, 0_2_00419841
Source: C:\Users\user\Desktop\K8nV75e45o.exe Code function: 0_2_00419563 socket,bind,listen,closesocket, 0_2_00419563
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376941 Sample: K8nV75e45o Startdate: 28/03/2021 Architecture: WINDOWS Score: 72 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 Contains VNC / remote desktop functionality (version string found) 2->14 5 K8nV75e45o.exe 2->5         started        process3 signatures4 16 Detected ZeusVM e-Banking Trojan 5->16
No contacted IP infos