Analysis Report E7CThb0bFa

Overview

General Information

Sample Name:	E7CThb0bFa (renamed file extension from none to exe)
Analysis ID:	381780
MD5:	ba28a06e2aae1052319541d4124122c5
SHA1:	20613e49ee5b14dc04c7b045900f1d0e1b4173be
SHA256:	9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46
Tags:	uncategorized
Infos:
Most interesting Screenshot:

Detection

ZeusVM

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Contains functionality to detect sleep reduction / modifications

Injects a PE file into a foreign processes

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

May initialize a security null descriptor

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: E7CThb0bFa.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: E7CThb0bFa.exe	Virustotal: Detection: 84%			Perma Link
Source: E7CThb0bFa.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Source: E7CThb0bFa.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.E7CThb0bFa.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 0.2.E7CThb0bFa.exe.24e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.1.E7CThb0bFa.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00408558 CryptUnprotectData,LocalFree,	1_2_00408558
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_00412FA3
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00408558 CryptUnprotectData,LocalFree,	1_1_00408558
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_1_00412FA3

Compliance:

Uses 32bit PE files

Source: E7CThb0bFa.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Spreading:

Contains functionality to enumerate network shares

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		1_2_004113A5
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		1_1_004113A5

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405304
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_0041737C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_1_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_1_0041737C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00414C41 select,recv,

1_2_00414C41

Source: E7CThb0bFa.exe	String found in binary or memory: http://www.google.com/webhp
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp, E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.google.com/webhpbc

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0041047C GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

1_2_0041047C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0042D190 GetKeyboardState,

0_2_0042D190

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,		1_2_00419084
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,		1_1_00419084

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_004108EC OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

1_2_004108EC

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044A56C NtdllDefWindowProc_A,	0_2_0044A56C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00430020 NtdllDefWindowProc_A,GetCapture,	0_2_00430020
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00424C58 NtdllDefWindowProc_A,	0_2_00424C58
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_0044AD10
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_0044ADC0
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0043F83C GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0043F83C

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00413620 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

1_2_00413620

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00418801 InitiateSystemShutdownExW,ExitWindowsEx,	1_2_00418801
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_2_0041D21C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00418801 InitiateSystemShutdownExW,ExitWindowsEx,	1_1_00418801
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_1_0041D21C

Detected potential crypto function

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00444A1C	0_2_00444A1C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0043F83C	0_2_0043F83C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00414A51	1_2_00414A51
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0040D6D4	1_2_0040D6D4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00412EAF	1_2_00412EAF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0040171B	1_2_0040171B
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00414A51	1_1_00414A51
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0040D6D4	1_1_0040D6D4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00412EAF	1_1_00412EAF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0040171B	1_1_0040171B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: String function: 004041E0 appears 68 times
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: String function: 00406324 appears 61 times

Sample file is different than original file name gathered from version info

Source: E7CThb0bFa.exe, 00000000.00000002.637101486.0000000000A90000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs E7CThb0bFa.exe

Uses 32bit PE files

Source: E7CThb0bFa.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.bank.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0041DA04 GetLastError,FormatMessageA,

0_2_0041DA04

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_2_00405554
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_2_004053DF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_1_00405554
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_1_004053DF

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		1_2_004133CA
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		1_1_004133CA

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_004085C0 GetDiskFreeSpaceA,

0_2_004085C0

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0040647F CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

1_2_0040647F

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00408C77 CoCreateInstance,

1_2_00408C77

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00406179 CompareStringA,RtlEnterCriticalSection,FindResourceA,

0_2_00406179

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E7CThb0bFa.exe	Virustotal: Detection: 84%
Source: E7CThb0bFa.exe	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe 'C:\Users\user\Desktop\E7CThb0bFa.exe'
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe	Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00424218

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BE08 push FAF50000h; retn 0000h	0_3_0232BE0D
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232CB68 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D354 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02327FA0 pushad ; retf 0000h	0_3_02327FBF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232741D pushfd ; retn 0003h	0_3_02327429
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329865 push edx; iretd	0_3_0232988C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232ACA4 pushad ; retf	0_3_0232ADC2
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02328C9C push ss; retf 004Ch	0_3_02336AFF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329100 push eax; ret	0_3_02329152
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232E57F push ss; iretd	0_3_0232E59F
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232C550 pushfd ; retf	0_3_0232C551
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D9B3 push edx; retf 0000h	0_3_0232D9EC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BDF4 push ds; ret	0_3_0232BE07
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_023289E0 push ebx; ret	0_3_02328A0A
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329DEB push ebx; retf 0000h	0_3_02329DEC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BE08 push FAF50000h; retn 0000h	0_3_0232BE0D
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232CB68 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D354 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02327FA0 pushad ; retf 0000h	0_3_02327FBF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232741D pushfd ; retn 0003h	0_3_02327429
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329865 push edx; iretd	0_3_0232988C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232ACA4 pushad ; retf	0_3_0232ADC2
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02328C9C push ss; retf 004Ch	0_3_02336AFF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329100 push eax; ret	0_3_02329152
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232E57F push ss; iretd	0_3_0232E59F
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232C550 pushfd ; retf	0_3_0232C551
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D9B3 push edx; retf 0000h	0_3_0232D9EC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BDF4 push ds; ret	0_3_0232BE07
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_023289E0 push ebx; ret	0_3_02328A0A
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329DEB push ebx; retf 0000h	0_3_02329DEC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00437334 push 004373C1h; ret	0_2_004373B9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044A5F4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_0044A5F4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_004225DC IsIconic,GetWindowPlacement,GetWindowRect,	0_2_004225DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00432878 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_00432878
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_0044AD10
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_0044ADC0
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_004475DC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_004475DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00431744 IsIconic,GetCapture,	0_2_00431744
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00431FF8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_00431FF8

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

0_2_00424218

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00426D88

0_2_00426D88

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_00449B50

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00426D88

0_2_00426D88

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405304
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_0041737C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_1_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_1_0041737C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0041DFA0 GetSystemInfo,

0_2_0041DFA0

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

0_2_00424218

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041C2AE mov edx, dword ptr fs:[00000030h]		1_2_0041C2AE
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041C2AE mov edx, dword ptr fs:[00000030h]		1_1_0041C2AE

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0041C5F3 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

1_2_0041C5F3

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Memory written: C:\Users\user\Desktop\E7CThb0bFa.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe

Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_004152ED InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

1_2_004152ED

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_004054DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040C424
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_0040AE50
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_0040AE9C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_00405E24

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00409924 GetLocalTime,

0_2_00409924

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00407242 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

1_2_00407242

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00411E28 GetTimeZoneInformation,

1_2_00411E28

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00437334 GetVersion,

0_2_00437334

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroybcdfghklmnpqrstvwxzaeiouyGlobal\Local\

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp	String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003
Source: E7CThb0bFa.exe	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041511E socket,bind,closesocket,		1_2_0041511E
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00414E40 socket,bind,listen,closesocket,		1_2_00414E40

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: E7CThb0bFa.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: E7CThb0bFa.exe	Virustotal: Detection: 84%			Perma Link
Source: E7CThb0bFa.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Source: E7CThb0bFa.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.E7CThb0bFa.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 0.2.E7CThb0bFa.exe.24e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.1.E7CThb0bFa.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00408558 CryptUnprotectData,LocalFree,	1_2_00408558
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_00412FA3
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00408558 CryptUnprotectData,LocalFree,	1_1_00408558
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_1_00412FA3

Compliance:

Uses 32bit PE files

Source: E7CThb0bFa.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Spreading:

Contains functionality to enumerate network shares

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		1_2_004113A5
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,		1_1_004113A5

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405304
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_0041737C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_1_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_1_0041737C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00414C41 select,recv,

1_2_00414C41

Source: E7CThb0bFa.exe	String found in binary or memory: http://www.google.com/webhp
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp, E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.google.com/webhpbc

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0041047C GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

1_2_0041047C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0042D190 GetKeyboardState,

0_2_0042D190

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,		1_2_00419084
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,		1_1_00419084

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

1_2_004108EC

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044A56C NtdllDefWindowProc_A,	0_2_0044A56C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00430020 NtdllDefWindowProc_A,GetCapture,	0_2_00430020
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00424C58 NtdllDefWindowProc_A,	0_2_00424C58
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_0044AD10
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_0044ADC0
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0043F83C GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0043F83C

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00413620 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

1_2_00413620

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00418801 InitiateSystemShutdownExW,ExitWindowsEx,	1_2_00418801
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_2_0041D21C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00418801 InitiateSystemShutdownExW,ExitWindowsEx,	1_1_00418801
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_1_0041D21C

Detected potential crypto function

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00444A1C	0_2_00444A1C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0043F83C	0_2_0043F83C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00414A51	1_2_00414A51
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0040D6D4	1_2_0040D6D4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00412EAF	1_2_00412EAF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0040171B	1_2_0040171B
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00414A51	1_1_00414A51
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0040D6D4	1_1_0040D6D4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00412EAF	1_1_00412EAF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0040171B	1_1_0040171B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: String function: 004041E0 appears 68 times
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: String function: 00406324 appears 61 times

Sample file is different than original file name gathered from version info

Source: E7CThb0bFa.exe, 00000000.00000002.637101486.0000000000A90000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs E7CThb0bFa.exe

Uses 32bit PE files

Source: E7CThb0bFa.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.bank.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0041DA04 GetLastError,FormatMessageA,

0_2_0041DA04

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_2_00405554
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_2_004053DF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_1_00405554
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_1_004053DF

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		1_2_004133CA
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		1_1_004133CA

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_004085C0 GetDiskFreeSpaceA,

0_2_004085C0

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_0040647F CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

1_2_0040647F

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00408C77 CoCreateInstance,

1_2_00408C77

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00406179 CompareStringA,RtlEnterCriticalSection,FindResourceA,

0_2_00406179

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E7CThb0bFa.exe	Virustotal: Detection: 84%
Source: E7CThb0bFa.exe	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe 'C:\Users\user\Desktop\E7CThb0bFa.exe'
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe	Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

0_2_00424218

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BE08 push FAF50000h; retn 0000h	0_3_0232BE0D
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232CB68 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D354 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02327FA0 pushad ; retf 0000h	0_3_02327FBF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232741D pushfd ; retn 0003h	0_3_02327429
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329865 push edx; iretd	0_3_0232988C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232ACA4 pushad ; retf	0_3_0232ADC2
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02328C9C push ss; retf 004Ch	0_3_02336AFF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329100 push eax; ret	0_3_02329152
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232E57F push ss; iretd	0_3_0232E59F
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232C550 pushfd ; retf	0_3_0232C551
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D9B3 push edx; retf 0000h	0_3_0232D9EC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BDF4 push ds; ret	0_3_0232BE07
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_023289E0 push ebx; ret	0_3_02328A0A
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329DEB push ebx; retf 0000h	0_3_02329DEC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BE08 push FAF50000h; retn 0000h	0_3_0232BE0D
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232CB68 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D354 push ds; retf 0000h	0_3_0232D370
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02327FA0 pushad ; retf 0000h	0_3_02327FBF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232741D pushfd ; retn 0003h	0_3_02327429
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329865 push edx; iretd	0_3_0232988C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232ACA4 pushad ; retf	0_3_0232ADC2
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02328C9C push ss; retf 004Ch	0_3_02336AFF
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329100 push eax; ret	0_3_02329152
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232E57F push ss; iretd	0_3_0232E59F
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232C550 pushfd ; retf	0_3_0232C551
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232D9B3 push edx; retf 0000h	0_3_0232D9EC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_0232BDF4 push ds; ret	0_3_0232BE07
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_023289E0 push ebx; ret	0_3_02328A0A
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_3_02329DEB push ebx; retf 0000h	0_3_02329DEC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00437334 push 004373C1h; ret	0_2_004373B9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044A5F4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_0044A5F4
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_004225DC IsIconic,GetWindowPlacement,GetWindowRect,	0_2_004225DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00432878 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_00432878
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_0044AD10
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_0044ADC0
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_004475DC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_004475DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00431744 IsIconic,GetCapture,	0_2_00431744
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00431FF8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_00431FF8

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

0_2_00424218

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00426D88

0_2_00426D88

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_00449B50

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00426D88

0_2_00426D88

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405304
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_0041737C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_1_00417437
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_1_0041737C

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_0041DFA0 GetSystemInfo,

0_2_0041DFA0

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

0_2_00424218

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041C2AE mov edx, dword ptr fs:[00000030h]		1_2_0041C2AE
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_1_0041C2AE mov edx, dword ptr fs:[00000030h]		1_1_0041C2AE

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

1_2_0041C5F3

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Memory written: C:\Users\user\Desktop\E7CThb0bFa.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe

Jump to behavior

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_004152ED InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

1_2_004152ED

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_004054DC
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040C424
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_0040AE50
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_0040AE9C
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: GetLocaleInfoA,	0_2_00405E24

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00409924 GetLocalTime,

0_2_00409924

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00407242 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

1_2_00407242

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 1_2_00411E28 GetTimeZoneInformation,

1_2_00411E28

Source: C:\Users\user\Desktop\E7CThb0bFa.exe

Code function: 0_2_00437334 GetVersion,

0_2_00437334

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroybcdfghklmnpqrstvwxzaeiouyGlobal\Local\

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp	String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003
Source: E7CThb0bFa.exe	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe	String found in binary or memory: RFB 003.003
Source: E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_0041511E socket,bind,closesocket,		1_2_0041511E
Source: C:\Users\user\Desktop\E7CThb0bFa.exe	Code function: 1_2_00414E40 socket,bind,listen,closesocket,		1_2_00414E40

ID:	381780
Product:	CloudBasic
Start time:	02:53:56
Start date:	05.04.2021
Sample:	E7CThb0bFa
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ba28a06e2aae1052319541d4124122c5
SHA1:	20613e49ee5b14dc04c7b045900f1d0e1b4173be
SHA256:	9738c7021fdded8bb03e1588d17386dc175328630ecb0f1a3d671dfc4fb18d46
Filetype:	Win32 Executable (generic) a (10002005/4) 99.37%

Analysis Report E7CThb0bFa

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map