MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6771d8d0431034fdd65f892475bfb38597457ccb65a7b2d46dd37579e22ebd4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 6771d8d0431034fdd65f892475bfb38597457ccb65a7b2d46dd37579e22ebd4d
SHA3-384 hash: b962894d7c46d9dc79bead7e0fd58a979390d2457bd23deea168c5fe053df5c0a82163b69e04931a3d156737fdf7a150
SHA1 hash: b22541ca672cb19b440e222133da6f220fa9027e
MD5 hash: 5bfda10184fb2ea0246db7f121bb9b22
humanhash: mars-table-september-missouri
File name:tasks_196.vir
Download: download sample
Signature n/a
File size:234'517 bytes
First seen:2020-07-19 19:51:32 UTC
Last seen:2020-07-19 20:46:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a65c5cc70055c1cb90e95d5e040ea00
ssdeep 6144:b8Zhc2iGmqhdR5eC7kj02mg/lRX5ccRF6G1:bO8GmwRYCgolgdZ5T1
TLSH C8341332928C8BB9F04F6EB4C4728F2B4AD754338B67984947D1093FDC19791B8A46BD
Reporter @tildedennis
Tags:tasks


Twitter
@tildedennis
tasks version 196

Intelligence


File Origin
# of uploads :
2
# of downloads :
37
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
Clickfraudbot
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247677 Sample: tasks_196.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 44 lalallaw334tdgd.com 2->44 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 2 other signatures 2->64 8 ifozr.exe 4 18 2->8         started        12 tasks_196.exe 2 5 2->12         started        15 winsec32.exe 1 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 52 212.32.237.91, 49738, 49740, 49742 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 8->52 54 reservdom2.com 8->54 56 3 other IPs or domains 8->56 70 Antivirus detection for dropped file 8->70 72 Detected unpacking (changes PE section rights) 8->72 74 Detected unpacking (creates a PE file in dynamic memory) 8->74 84 7 other signatures 8->84 19 explorer.exe 1 8->19 injected 21 ifozr.exe 2 48 8->21         started        38 C:\Windows\SysWOW64\winsec32.exe, PE32 12->38 dropped 40 C:\Users\user\AppData\Roaming\...\ifozr.exe, PE32 12->40 dropped 42 C:\Users\user\AppData\...\tmp0fa74bfd.bat, DOS 12->42 dropped 76 Detected unpacking (overwrites its own PE header) 12->76 78 Drops batch files with force delete cmd (self deletion) 12->78 25 ifozr.exe 12->25         started        27 cmd.exe 1 12->27         started        80 Machine Learning detection for dropped file 15->80 82 Monitors registry run keys for changes 17->82 file6 signatures7 process8 dnsIp9 29 ifozr.exe 19->29         started        32 ifozr.exe 19->32         started        34 ifozr.exe 19->34         started        46 coolsearch37845.com 23.82.12.29, 49714, 49715, 80 LEASEWEB-USA-WDCUS United States 21->46 48 1618.wcitianka.com 198.54.112.216, 49716, 49717, 80 NAMECHEAP-NETUS United States 21->48 50 myrewardclub.net 91.224.58.27, 443, 49718, 49719 GRANSYGransysrohttpgransycomCZ Czech Republic 21->50 66 Overwrites Windows DLL code with PUSH RET codes 21->66 68 Overwrites code with function prologues 21->68 36 conhost.exe 27->36         started        signatures10 process11 signatures12 86 Overwrites Windows DLL code with PUSH RET codes 29->86 88 Overwrites code with function prologues 29->88
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-04-28 20:23:00 UTC
AV detection:
23 of 25 (92.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Windows directory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Deletes itself
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments