MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZeuS


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9
SHA3-384 hash: 0ed1fdec79797a603b2ce3a4bd4c58f91bb11d4bb8239a3923dae4446320bf105eec85902bf410c98f1580e76d20d41a
SHA1 hash: 6bfae596d6db6c07fbe6d99d1e6d6411242fc455
MD5 hash: b2ccfc9c9b1302ee46e277b92662414b
humanhash: sixteen-one-illinois-music
File name:597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9
Download: download sample
Signature ZeuS
Create hunting rule
File size:592'896 bytes
First seen:2023-07-07 01:19:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 734bd457718220220e31e08795f3cb4f (1 x ZeuS)
ssdeep 6144:ofhrfNSVM92Mdf/sqKH/zkd76LjqApLK0iLvFWS31UoDr36Gyv3LoRYViD6Lym54:kEJ0hMebn32cyijj5
TLSH T178C46D13E76819E6DFD09FBC2A5C92EE006F643B5714E448682D37E139ECB20EE91974
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter tildedennis
Tags:exe gameover ZeuS


Avatar
tildedennis
gameover version 2014-05-29

Intelligence

File Origin
# of uploads :
1
# of downloads :
464
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9
Verdict:
Malicious activity
Analysis date:
2023-07-07 01:21:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e38f139-746d-48d6-903b-30fcf8578a07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/410236/
Detection(s):
Win.Trojan.Zbot-1347
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the drivers directory
Creating a service
Launching a service
Loading a system driver
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Setting browser functions hooks
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a browser process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96079/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Zbot
Link:
https://www.hybrid-analysis.com/sample/597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zeus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f65b299c-4297-4cc9-83c1-e3ad6502b348
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1268769
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
May enable test signing (to load unsigned drivers)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to steal Mail credentials (via file / registry access)
Uses bcdedit to modify the Windows boot settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1268769 Sample: g0cxa0CqK9.exe Startdate: 07/07/2023 Architecture: WINDOWS Score: 100 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 3 other signatures 2->51 8 g0cxa0CqK9.exe 4 2->8         started        process3 file4 37 C:\Users\user\AppData\Local\...\egbyum.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\ZXS99B6.bat, DOS 8->39 dropped 53 Detected unpacking (changes PE section rights) 8->53 55 Detected unpacking (overwrites its own PE header) 8->55 57 Self deletion via cmd or bat file 8->57 59 4 other signatures 8->59 12 egbyum.exe 1 1 8->12         started        signatures5 process6 file7 41 C:\Windows\System32\drivers\42f655.sys, PE32+ 12->41 dropped 61 Antivirus detection for dropped file 12->61 63 Detected unpacking (changes PE section rights) 12->63 65 Detected unpacking (overwrites its own PE header) 12->65 67 11 other signatures 12->67 16 zQUWInEkOOARNKBKpmiWcYFfkML.exe 12->16 injected 19 bcdedit.exe 1 12->19         started        21 bcdedit.exe 1 12->21         started        23 43 other processes 12->23 signatures8 process9 signatures10 43 Tries to steal Mail credentials (via file / registry access) 16->43 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        35 5 other processes 23->35 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2014-05-31 06:02:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lf74ekrzkuggotb34a5sxiq5trkfoe4jorgyeqfhuh2bnposwsuq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence ransomware
Link:
https://tria.ge/reports/230707-bp4ccaga4s/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Modifies boot configuration data using bcdedit
Unpacked files
SH256 hash:
51f453286804bcfad5f64e869849511a70e3e1fe74bbe1c06d3a653d4bc09773
MD5 hash:
59b969743ed49f807df54db150379c61
SHA1 hash:
1b6c3699f1072fb69a53abc0c16b971627277e68
Detections:
win_gameover_dga_auto
Create hunting rule
Link:
https://www.unpac.me/results/757322cc-c0e4-4c8f-8a54-eff421c991e8/
SH256 hash:
597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9
MD5 hash:
b2ccfc9c9b1302ee46e277b92662414b
SHA1 hash:
6bfae596d6db6c07fbe6d99d1e6d6411242fc455
Link:
https://www.unpac.me/results/757322cc-c0e4-4c8f-8a54-eff421c991e8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/597fc22a3955/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/597fc22a39550c674c3be03b2ba21d9c54571389744d8240a7a1f416bdd2b4a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/gameover/
Cape
Cape
https://www.capesandbox.com/analysis/410236/

Comments