MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f26348395dca9ac50317a4a220a5c61409194f0903139f4d06c731aa3be6f5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 7f26348395dca9ac50317a4a220a5c61409194f0903139f4d06c731aa3be6f5e
SHA3-384 hash: 390919b93530bafba2a3dd8102e46afb26bbec710a536d44d90634ff9dc12dc314c403a6903f5e68297d8db107e9c9fb
SHA1 hash: 75d75642dbded90f7f6e4a93f02e527cc789d35a
MD5 hash: 4a91b5b272fa2898445e18506c08d055
humanhash: ohio-fillet-tango-wolfram
File name:tasks_202.vir
Download: download sample
Signature ZeuS
File size:313'575 bytes
First seen:2020-07-19 17:25:53 UTC
Last seen:2020-07-19 19:17:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15dd7c244535280e38c9bf636fdd3bac
ssdeep 6144:KwXJ0Pj5FEmnf1wM0kZZRH/XQ+LXH2D+X8B92GGzLE+s8Xre:jZ0rniMVXQ+LGgzLEDie
TLSH 0964F142B1414DDBE87913F3EC0BC16428D26A9B9362939F9BF37B1985A33171627E09
Reporter @tildedennis
Tags:tasks


Twitter
@tildedennis
tasks version 202

Intelligence


File Origin
# of uploads :
2
# of downloads :
21
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247157 Sample: tasks_202.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 2 other signatures 2->61 7 vuucw.exe 4 15 2->7         started        11 tasks_202.exe 2 5 2->11         started        14 winsec32.exe 1 2->14         started        16 7 other processes 2->16 process3 dnsIp4 49 ww1.survey-smiles.com 7->49 51 coolsearch37845.com 7->51 53 2 other IPs or domains 7->53 67 Antivirus detection for dropped file 7->67 69 Detected unpacking (changes PE section rights) 7->69 71 Detected unpacking (creates a PE file in dynamic memory) 7->71 81 7 other signatures 7->81 18 explorer.exe 4 7->18 injected 20 vuucw.exe 2 47 7->20         started        37 C:\Windows\SysWOW64\winsec32.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Roaming\...\vuucw.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\...\tmp2728dde9.bat, DOS 11->41 dropped 73 Detected unpacking (overwrites its own PE header) 11->73 75 Drops batch files with force delete cmd (self deletion) 11->75 24 vuucw.exe 11->24         started        26 cmd.exe 1 11->26         started        77 Machine Learning detection for dropped file 14->77 79 Monitors registry run keys for changes 16->79 file5 signatures6 process7 dnsIp8 28 vuucw.exe 18->28         started        31 vuucw.exe 18->31         started        33 vuucw.exe 18->33         started        43 coolsearch37845.com 212.32.237.91, 49718, 49740, 49743 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 20->43 45 1618.wcitianka.com 198.54.112.216, 49719, 49720, 80 NAMECHEAP-NETUS United States 20->45 47 myrewardclub.net 91.224.58.27, 443, 49721, 49722 GRANSYGransysrohttpgransycomCZ Czech Republic 20->47 63 Overwrites Windows DLL code with PUSH RET codes 20->63 65 Overwrites code with function prologues 20->65 35 conhost.exe 26->35         started        signatures9 process10 signatures11 83 Overwrites Windows DLL code with PUSH RET codes 28->83 85 Overwrites code with function prologues 28->85
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-05-02 19:04:00 UTC
AV detection:
23 of 25 (92.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Deletes itself
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments