MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2919fa110980fedf9851a425d093b7d9657050e2b7d9cf7fff639c9c3e6aad87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 2919fa110980fedf9851a425d093b7d9657050e2b7d9cf7fff639c9c3e6aad87
SHA3-384 hash: 331aa7f447fd1ad018f1a71e54fdd240eee48ce2f636481b94332f9448af044eddb4c68b30a5363bdac04375a3197089
SHA1 hash: 3c23b758efafc252018e803f236506d1e96d8997
MD5 hash: 5881a975e8b6511fe0ee137bf21e93c9
humanhash: kitten-ink-lima-twelve
File name:tasks_193.vir
Download: download sample
Signature n/a
File size:376'503 bytes
First seen:2020-07-19 19:42:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ec5113317ea24a2615a691b8566580f
ssdeep 6144:gTR/Kge6b9DaYfS98N/x7ojviCSUBl6ZeYz7wfXbuO6nVbhsOz8g3Pf:g1KDi9GR98xxsuCtiCXlwDz88f
TLSH F1840447FB5816D7C46E1B3819F94B09E77098293F1A439B4428BB7CE8E53C26B1279C
Reporter @tildedennis
Tags:tasks


Twitter
@tildedennis
tasks version 193

Intelligence


File Origin
# of uploads :
1
# of downloads :
22
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
Clickfraudbot
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247454 Sample: tasks_193.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 2 other signatures 2->59 7 axaka.exe 4 16 2->7         started        11 tasks_193.exe 2 5 2->11         started        14 winsec32.exe 1 2->14         started        16 5 other processes 2->16 process3 dnsIp4 49 coolsearch37845.com 7->49 51 survey-smiles.com 95.211.219.65, 49727, 49729, 49731 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 7->51 65 Antivirus detection for dropped file 7->65 67 Detected unpacking (changes PE section rights) 7->67 69 Detected unpacking (creates a PE file in dynamic memory) 7->69 81 7 other signatures 7->81 18 explorer.exe 4 7->18 injected 20 axaka.exe 33 7->20         started        37 C:\Windows\SysWOW64\winsec32.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Roaming\...\axaka.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\...\tmp32e65b85.bat, DOS 11->41 dropped 71 Detected unpacking (overwrites its own PE header) 11->71 73 Drops batch files with force delete cmd (self deletion) 11->73 75 Tries to detect virtualization through RDTSC time measurements 11->75 24 axaka.exe 11->24         started        26 cmd.exe 1 11->26         started        77 Machine Learning detection for dropped file 14->77 79 Monitors registry run keys for changes 16->79 file5 signatures6 process7 dnsIp8 28 axaka.exe 18->28         started        31 axaka.exe 18->31         started        33 axaka.exe 18->33         started        43 coolsearch37845.com 212.32.237.101, 49721, 49722, 49726 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 20->43 45 ww1.coolsearch37845.com 20->45 47 12065.bodis.com 199.59.242.153, 49723, 49724, 80 BODIS-NJUS United States 20->47 61 Overwrites Windows DLL code with PUSH RET codes 20->61 63 Overwrites code with function prologues 20->63 35 conhost.exe 26->35         started        signatures9 process10 signatures11 83 Overwrites Windows DLL code with PUSH RET codes 28->83 85 Overwrites code with function prologues 28->85
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-04-27 02:01:00 UTC
AV detection:
20 of 25 (80.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Deletes itself
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments