Windows Analysis Report
dmB3aYi8Bo.bin

Overview

General Information

Sample Name: dmB3aYi8Bo.bin (renamed file extension from bin to exe)
Analysis ID: 691233
MD5: 56aa277081075438c3dbbef841299172
SHA1: e5870965f41cb82f454043845641ae92b6c6b939
SHA256: 0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05
Tags: exeunnamed10
Infos:

Detection

ZeusVM
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected ZeusVM e-Banking Trojan
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
May initialize a security null descriptor
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: dmB3aYi8Bo.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: dmB3aYi8Bo.exe Virustotal: Detection: 57% Perma Link
Source: dmB3aYi8Bo.exe ReversingLabs: Detection: 76%
Machine Learning detection for sample
Source: dmB3aYi8Bo.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.dmB3aYi8Bo.exe.12b0000.0.unpack Avira: Label: TR/Spy.Zbot.afkmx
Source: 0.2.dmB3aYi8Bo.exe.12b0000.0.unpack Avira: Label: TR/Spy.Zbot.afkmx
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B48A2 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_012B48A2
Uses 32bit PE files
Source: dmB3aYi8Bo.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012BD399 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_012BD399
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012BD44A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_012BD44A
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B685D select,recv, 0_2_012B685D
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012CA854 GetKeyboardState,ToUnicode,TranslateMessage, 0_2_012CA854
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012CA8EB GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, 0_2_012CA8EB

E-Banking Fraud
barindex
Detected ZeusVM e-Banking Trojan
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B30C0 lstrcmpiA,lstrcmpiA, 0_2_012B30C0
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012D022B OpenDesktopW,CreateDesktopW, 0_2_012D022B
Uses 32bit PE files
Source: dmB3aYi8Bo.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C80B0 InitiateSystemShutdownExW,ExitWindowsEx, 0_2_012C80B0
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C1A81 ExitWindowsEx, 0_2_012C1A81
Detected potential crypto function
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B6177 0_2_012B6177
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B636F 0_2_012B636F
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B5B49 0_2_012B5B49
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B5D60 0_2_012B5D60
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B5F21 0_2_012B5F21
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C976D 0_2_012C976D
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B1BC2 0_2_012B1BC2
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012CAFE4 0_2_012CAFE4
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B6601 0_2_012B6601
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012BBAD7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_012BBAD7
Contains functionality to call native functions
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C2BCD NtQueryInformationProcess,CloseHandle,NtCreateThread, 0_2_012C2BCD
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C2C77 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle, 0_2_012C2C77
Source: dmB3aYi8Bo.exe Virustotal: Detection: 57%
Source: dmB3aYi8Bo.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C2F67 CreateToolhelp32Snapshot,Process32FirstW,GetLengthSid,CloseHandle,Process32NextW,CloseHandle, 0_2_012C2F67
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B4E98 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_012B4E98
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B395D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_012B395D
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B3813 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 0_2_012B3813
Source: classification engine Classification label: mal72.bank.troj.winEXE@1/0@0/0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B504C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_012B504C
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe API coverage: 1.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012BD399 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_012BD399
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012BD44A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_012BD44A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C105D mov edx, dword ptr fs:[00000030h] 0_2_012C105D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B504C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_012B504C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B18F2 HeapCreate,GetProcessHeap, 0_2_012B18F2
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C2D9E LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,LeaveCriticalSection, 0_2_012C2D9E
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B6FBD InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 0_2_012B6FBD
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B3E69 GetTimeZoneInformation, 0_2_012B3E69
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C7B5C GetVersionExW,GetNativeSystemInfo, 0_2_012C7B5C
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B1B1D PFXImportCertStore,GetSystemTime, 0_2_012B1B1D
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012C87ED GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, 0_2_012C87ED
May initialize a security null descriptor
Source: dmB3aYi8Bo.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality
barindex
Contains VNC / remote desktop functionality (version string found)
Source: dmB3aYi8Bo.exe String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe, 00000000.00000000.311521845.00000000012D7000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe, 00000000.00000000.311521845.00000000012D7000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: ! RFB 003.003
Source: dmB3aYi8Bo.exe String found in binary or memory: RFB 003.003
Source: dmB3aYi8Bo.exe String found in binary or memory: ! RFB 003.003
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B6A4C socket,bind,listen,closesocket, 0_2_012B6A4C
Source: C:\Users\user\Desktop\dmB3aYi8Bo.exe Code function: 0_2_012B1929 socket,bind,closesocket, 0_2_012B1929
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 691233 Sample: dmB3aYi8Bo.bin Startdate: 27/08/2022 Architecture: WINDOWS Score: 72 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 Contains VNC / remote desktop functionality (version string found) 2->14 5 dmB3aYi8Bo.exe 2->5         started        process3 signatures4 16 Detected ZeusVM e-Banking Trojan 5->16
No contacted IP infos