MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23fee11f65ab88b82ef71a7cde7c57a0dc0e88857ce7954804e48fc5d3d95d1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 23fee11f65ab88b82ef71a7cde7c57a0dc0e88857ce7954804e48fc5d3d95d1a
SHA3-384 hash: 34a67d1725c364fd098cd0a3351339dd6725473f8e61e32a4196327aca6bb4b0ac473cbd85af55544e75f256a6469ace
SHA1 hash: 24164421f373826237259f4999df24cd5ad249ab
MD5 hash: 4118c5745d60119973e05c3802147628
humanhash: texas-vegan-network-uniform
File name:tasks_182.vir
Download: download sample
Signature ZeuS
File size:223'401 bytes
First seen:2020-07-19 19:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d124e7304602373abe24b0747b176a9a
ssdeep 6144:xkz4NfW+hyAU3EQPC5PYT89e4aQD1jozQA8qptK:w4dWqyRUQAHsSocrqptK
TLSH 86241232BB36DEA4E6FB0C3868EAA73747540A7580349C8395C51E6F582E384417EF65
Reporter @tildedennis
Tags:tasks ZeuS


Twitter
@tildedennis
tasks version 182

Intelligence


File Origin
# of uploads :
1
# of downloads :
53
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247674 Sample: tasks_182.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 42 Drops executables to the windows directory (C:\Windows) and starts them 2->42 7 tasks_182.exe 2 5 2->7         started        11 ybkako.exe 2->11         started        13 winsec32.exe 1 2->13         started        15 3 other processes 2->15 process3 file4 26 C:\Windows\SysWOW64\winsec32.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Roaming\...\ybkako.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\tmp9ed5501b.bat, DOS 7->30 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Detected unpacking (creates a PE file in dynamic memory) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Drops batch files with force delete cmd (self deletion) 7->50 17 ybkako.exe 7->17         started        20 cmd.exe 1 7->20         started        52 Antivirus detection for dropped file 11->52 54 Machine Learning detection for dropped file 11->54 56 Overwrites Windows DLL code with PUSH RET codes 11->56 22 ybkako.exe 11->22         started        58 Tries to detect virtualization through RDTSC time measurements 13->58 signatures5 process6 signatures7 32 Overwrites Windows DLL code with PUSH RET codes 17->32 34 Overwrites code with function prologues 17->34 24 conhost.exe 20->24         started        process8
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-04-21 07:37:00 UTC
AV detection:
21 of 25 (84.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Windows directory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments