Analysis Report 7FzERy9xWc

Overview

General Information

Sample Name: 7FzERy9xWc (renamed file extension from none to exe)
Analysis ID: 385074
MD5: 8f250f634de721fec7b002a805dddc24
SHA1: 8e177de1f0ec9d45417b27e47973b8ded74242c7
SHA256: 5971fcdcf0f563f502c8ab017f34567c15e3e76c7a3c1497ae8513c305f77798
Tags: uncategorized
Infos:

Most interesting Screenshot:

Detection

ZeusVM
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected ZeusVM e-Banking Trojan
Multi AV Scanner detection for submitted file
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
May initialize a security null descriptor
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 7FzERy9xWc.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 7FzERy9xWc.exe Virustotal: Detection: 87% Perma Link
Source: 7FzERy9xWc.exe ReversingLabs: Detection: 92%
Machine Learning detection for sample
Source: 7FzERy9xWc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.7FzERy9xWc.exe.400000.0.unpack Avira: Label: TR/Spy.Gen
Source: 0.2.7FzERy9xWc.exe.400000.0.unpack Avira: Label: TR/Spy.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00412470 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00412470
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041FB50 HeapAlloc,CryptUnprotectData,LocalFree,HeapFree,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 0_2_0041FB50

Compliance:

barindex
Uses 32bit PE files
Source: 7FzERy9xWc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

barindex
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0040FEA0 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,PathCombineW,VirtualFree,CloseHandle,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,VirtualFree,CloseHandle, 0_2_0040FEA0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004185D0 PathCombineW,MultiByteToWideChar,PathRemoveFileSpecW,PathCombineW,PathCombineW,SetFileAttributesW,FindFirstFileW,DeleteFileW,PathCombineW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_004185D0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00418700 PathCombineW,FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,PathCombineW,Sleep,FindNextFileW,FindClose, 0_2_00418700
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00414C40 select,recv, 0_2_00414C40
Source: 7FzERy9xWc.exe String found in binary or memory: http://www.google.com/webhp
Source: 7FzERy9xWc.exe, 00000000.00000002.200969767.0000000000401000.00000020.00020000.sdmp String found in binary or memory: http://www.google.com/webhpbcSeShutdownPrivilege

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004239D0 GetClipboardData,WaitForSingleObject,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, 0_2_004239D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00423840 WaitForSingleObject,EnterCriticalSection,GetTickCount,LeaveCriticalSection,TranslateMessage,GetKeyboardState,ToUnicode,TranslateMessage, 0_2_00423840
Creates a DirectInput object (often for capturing keystrokes)
Source: 7FzERy9xWc.exe, 00000000.00000002.201329272.000000000077A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041A850 lstrcmpiA,lstrcmpiA,lstrcmpiA,setsockopt,WSAIoctl,HeapFree,select,WSASetLastError,HeapAlloc,SetLastError,HeapFree,HeapFree,CreateThread,shutdown,closesocket,WaitForMultipleObjects,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,ReleaseMutex,CloseHandle,HeapFree, 0_2_0041A850
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041A370 send,OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,CloseDesktop,CloseWindowStation, 0_2_0041A370

System Summary:

barindex
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00412C70 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_00412C70
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041D940 VirtualFree,CloseHandle,CreateMutexW,GetLastError,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,OpenMutexW,GetFileAttributesExW,ReadProcessMemory,CloseHandle,Sleep,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,HeapFree, 0_2_0041D940
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0040E230 ExitWindowsEx,InitiateSystemShutdownExW,ExitWindowsEx, 0_2_0040E230
Detected potential crypto function
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0040AC10 0_2_0040AC10
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004140B0 0_2_004140B0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00414990 0_2_00414990
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00416E10 0_2_00416E10
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00408E30 0_2_00408E30
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004022C3 0_2_004022C3
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00416AB0 0_2_00416AB0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00412360 0_2_00412360
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00412374 0_2_00412374
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0040F3FD 0_2_0040F3FD
Uses 32bit PE files
Source: 7FzERy9xWc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 7FzERy9xWc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal72.bank.troj.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00423460 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_00423460
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004232A0 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,PFXExportCertStoreEx,PFXExportCertStoreEx,HeapAlloc,PFXExportCertStoreEx,CharLowerW,GetSystemTime,HeapFree,CertCloseStore, 0_2_004232A0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004129B0 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_004129B0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00412930 CreateToolhelp32Snapshot,Thread32First,Thread32Next,Thread32Next,CloseHandle, 0_2_00412930
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00420440 CoCreateInstance,HeapFree, 0_2_00420440
Source: 7FzERy9xWc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7FzERy9xWc.exe Virustotal: Detection: 87%
Source: 7FzERy9xWc.exe ReversingLabs: Detection: 92%

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00412C70 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_00412C70
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00409CFB push eax; iretd 0_2_00409CDD
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00409C70 push eax; iretd 0_2_00409CDD
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00402C19 push cs; iretd 0_2_00402C28
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00409CB9 push eax; iretd 0_2_00409CDD
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0040254D push es; iretd 0_2_0040255C
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00402BE3 push cs; ret 0_2_00402BF8
Source: initial sample Static PE information: section name: .text entropy: 7.96218490454

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041E910 VirtualProtect,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_0041E910

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004185D0 PathCombineW,MultiByteToWideChar,PathRemoveFileSpecW,PathCombineW,PathCombineW,SetFileAttributesW,FindFirstFileW,DeleteFileW,PathCombineW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_004185D0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00418700 PathCombineW,FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,PathCombineW,Sleep,FindNextFileW,FindClose, 0_2_00418700
Source: 7FzERy9xWc.exe, 00000000.00000002.201329272.000000000077A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00412C70 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_00412C70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00409D89 mov eax, dword ptr fs:[00000030h] 0_2_00409D89
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041C4F0 mov edx, dword ptr fs:[00000030h] 0_2_0041C4F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041CAF0 HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetCurrentProcessId, 0_2_0041CAF0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00415510 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 0_2_00415510
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_004234C0 PFXImportCertStore,GetSystemTime, 0_2_004234C0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0040C999 HeapFree,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, 0_2_0040C999
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00410960 GetTimeZoneInformation, 0_2_00410960
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_0041D000 GetComputerNameW,GetVersionExW, 0_2_0041D000

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptor
Source: 7FzERy9xWc.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)
Source: 7FzERy9xWc.exe String found in binary or memory: RFB 003.003
Source: 7FzERy9xWc.exe String found in binary or memory: RFB 003.003
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00415030 socket,bind,listen,closesocket, 0_2_00415030
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00406D40 WaitForSingleObject,socket,bind,GetTickCount,socket,bind,listen,closesocket,CreateEventW,WSAEventSelect,CloseHandle,shutdown,closesocket,getsockname,shutdown,closesocket,CloseHandle, 0_2_00406D40
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00414EE0 socket,bind,listen,closesocket, 0_2_00414EE0
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00414F40 socket,socket,bind,GetTickCount,socket,bind,listen,closesocket, 0_2_00414F40
Source: C:\Users\user\Desktop\7FzERy9xWc.exe Code function: 0_2_00415320 socket,bind,closesocket, 0_2_00415320
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385074 Sample: 7FzERy9xWc Startdate: 11/04/2021 Architecture: WINDOWS Score: 72 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 Contains VNC / remote desktop functionality (version string found) 2->14 5 7FzERy9xWc.exe 2->5         started        process3 signatures4 16 Detected ZeusVM e-Banking Trojan 5->16
No contacted IP infos