Windows Analysis Report
6qr4g3TReL.bin

Overview

General Information

Sample Name: 6qr4g3TReL.bin (renamed file extension from bin to exe)
Analysis ID: 660120
MD5: 2d2f0c7af61867cd84f2e419a62cef16
SHA1: e734bb114c2f47dc900d3a5a526db94f0b752ba0
SHA256: 5b3d4395b0f5acd40bc20f4bf3930cbd14da3d240ad67f7ab9a65de0681e8742
Tags: exezeus2
Infos:

Detection

ZeusVM
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected ZeusVM e-Banking Trojan
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Contains VNC / remote desktop functionality (version string found)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality to enumerate network shares
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
May initialize a security null descriptor
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 6qr4g3TReL.exe Virustotal: Detection: 71% Perma Link
Source: 6qr4g3TReL.exe ReversingLabs: Detection: 93%
Antivirus / Scanner detection for submitted sample
Source: 6qr4g3TReL.exe Avira: detected
Machine Learning detection for sample
Source: 6qr4g3TReL.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.6qr4g3TReL.exe.400000.0.unpack Avira: Label: TR/Spy.Gen
Source: 0.0.6qr4g3TReL.exe.400000.0.unpack Avira: Label: TR/Spy.Zbot.vbb.4
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00409A27 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00409A27

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Unpacked PE file: 0.2.6qr4g3TReL.exe.400000.0.unpack
Uses 32bit PE files
Source: 6qr4g3TReL.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00414625 LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 0_2_00414625
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040DDAD FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0040DDAD
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040DE68 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0040DE68
Source: 6qr4g3TReL.exe, 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/webhp
Source: 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/webhpbcSeTcbPrivilege.exeSOFTWARE
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040A436 WaitForSingleObject,InternetReadFile, 0_2_0040A436
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0041B12F GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, 0_2_0041B12F
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0041AFC2 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage, 0_2_0041AFC2

E-Banking Fraud
barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_004078C6 lstrcmpiA,lstrcmpiA,lstrcmpiA, 0_2_004078C6
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00419513 OpenDesktopW,CreateDesktopW, 0_2_00419513
Uses 32bit PE files
Source: 6qr4g3TReL.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00414D4D InitiateSystemShutdownExW,ExitWindowsEx, 0_2_00414D4D
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0041A5E9 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_0041A5E9
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0041A3A6 ExitWindowsEx, 0_2_0041A3A6
Detected potential crypto function
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00409934 0_2_00409934
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0041119E 0_2_0041119E
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00401DBB 0_2_00401DBB
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040B394 0_2_0040B394
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00409FB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_00409FB8
Source: 6qr4g3TReL.exe Virustotal: Detection: 71%
Source: 6qr4g3TReL.exe ReversingLabs: Detection: 93%
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00409D62 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_00409D62
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040707D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_0040707D
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00406F0A CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 0_2_00406F0A
Source: classification engine Classification label: mal92.bank.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040EBA9 CoCreateInstance, 0_2_0040EBA9
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00409D0E CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle, 0_2_00409D0E
Source: 6qr4g3TReL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Unpacked PE file: 0.2.6qr4g3TReL.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Unpacked PE file: 0.2.6qr4g3TReL.exe.400000.0.unpack .text:ER;.bdata:R;.data:W;.odata:R;.data:EW;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00402045 push es; iretd 0_2_00402054
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00414018 push ebp; ret 0_2_00414021
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_004026DB push cs; ret 0_2_004026F0
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00402711 push cs; iretd 0_2_00402720
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_004143ED push esp; iretd 0_2_004143F6
PE file contains sections with non-standard names
Source: 6qr4g3TReL.exe Static PE information: section name: .bdata
Source: 6qr4g3TReL.exe Static PE information: section name: .odata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00413E51 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,FreeLibrary, 0_2_00413E51
Source: initial sample Static PE information: section name: .data entropy: 7.377212715179087
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00406765 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_00406765

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\6qr4g3TReL.exe API coverage: 1.5 %
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040DDAD FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0040DDAD
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040DE68 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0040DE68
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00413E51 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,FreeLibrary, 0_2_00413E51
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00419B3D HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId, 0_2_00419B3D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_004196D9 mov edx, dword ptr fs:[00000030h] 0_2_004196D9
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040BC79 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 0_2_0040BC79
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_004070CD PFXImportCertStore,GetSystemTime, 0_2_004070CD
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_004087B9 GetTimeZoneInformation, 0_2_004087B9
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00406CAF GetVersionExW, 0_2_00406CAF
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_00413091 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, 0_2_00413091
May initialize a security null descriptor
Source: 6qr4g3TReL.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality
barindex
Contains VNC / remote desktop functionality (version string found)
Source: 6qr4g3TReL.exe String found in binary or memory: RFB 003.003
Source: 6qr4g3TReL.exe String found in binary or memory: RFB 003.003
Source: 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: RFB 003.003
Source: 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: scriptnbsp;tmp%s%08x.%s%s%08x*RFB 003.003
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040BAA8 socket,bind,closesocket, 0_2_0040BAA8
Source: C:\Users\user\Desktop\6qr4g3TReL.exe Code function: 0_2_0040B783 socket,bind,listen,closesocket, 0_2_0040B783

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660120 Sample: 6qr4g3TReL.bin Startdate: 09/07/2022 Architecture: WINDOWS Score: 92 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 Contains VNC / remote desktop functionality (version string found) 2->14 5 6qr4g3TReL.exe 2->5         started        process3 signatures4 16 Detected unpacking (changes PE section rights) 5->16 18 Detected unpacking (overwrites its own PE header) 5->18 20 Detected ZeusVM e-Banking Trojan 5->20 22 Found evasive API chain (may stop execution after checking mutex) 5->22
No contacted IP infos