MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ZeuS


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash: b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
SHA3-384 hash: 9373f36261148ba4fa5128a75cc2cd56154980e8aaee5b880b27ee7315ff0ccc51a7cf33ed74f8c7491ef5654f615b1d
SHA1 hash: 231899877604d50a2692781358f090f0fdd21c62
MD5 hash: f5b3048dd2e673f152d32b45a627f75a
humanhash: nebraska-black-november-lactose
File name:SKM_454e20070310530.scr
Download: download sample
Signature ZeuS
File size:828'416 bytes
First seen:2020-07-29 05:31:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep 12288:JRXtpnVH9Az44BnvOCDhzcl0UdKndi2bnXl6BtJXcCcPpxI3NSCT8b86HR:Jfd8z4byilBdlGXMvXmPpxI3DT8x
Threatray 105 similar samples on MalwareBazaar
TLSH EB05BF66B2E14833D1671E389C1B5764AF3ABE002A3859452FFCDC4C5F39781F8662A7
Reporter @abuse_ch
Tags:scr ZeuS


Twitter
@abuse_ch
Malspam distributing ZeuS:

HELO: mail.mojoka.tk
Sending IP: 45.147.162.151
From: Panda Kao / selina.chen - 陳靜怡 <admin@mojoka.tk>
Subject: (更新運費)萬達回覆紅蘿蔔運費報價 FM : TAICHUNG, TAIWAN TO: LOS ANGELES, USA (1 x 20') - RESEND
Attachment: SKM_454e20070310530.zip (contains "SKM_454e20070310530.scr")

ZeuS (Citadel) C2:
http://libertygiove.com/clips/gate.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
1'464
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Launching cmd.exe command interpreter
Launching a process
Launching the process to change the firewall settings
Launching a service
Launching the process to interact with network services
Sending an HTTP GET request
Creating a file
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a browser process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Internet Explorer cookie cleaning (a user can no longer delete cookies)
Drops batch files with force delete cmd (self deletion)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites Windows DLL code with PUSH RET codes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252855 Sample: SKM_454e20070310530.scr Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 51 g.msn.com 2->51 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 4 other signatures 2->75 10 SKM_454e20070310530.exe 2->10         started        signatures3 process4 signatures5 85 Detected unpacking (changes PE section rights) 10->85 87 Detected unpacking (overwrites its own PE header) 10->87 89 Drops batch files with force delete cmd (self deletion) 10->89 91 2 other signatures 10->91 13 SKM_454e20070310530.exe 9 10->13         started        process6 file7 43 C:\Users\user\AppData\...\ikapevowude.exe, PE32 13->43 dropped 45 C:\Users\user\AppData\...\tmp535560a6.bat, DOS 13->45 dropped 47 C:\Users\user\AppData\Local\...\tmp7B78.tmp, PE32 13->47 dropped 49 C:\Users\user\AppData\Local\...\tmp7AEA.tmp, PE32 13->49 dropped 105 Overwrites Windows DLL code with PUSH RET codes 13->105 107 Overwrites code with function prologues 13->107 17 ikapevowude.exe 13->17         started        20 cmd.exe 1 13->20         started        signatures8 process9 signatures10 61 Antivirus detection for dropped file 17->61 63 Detected unpacking (changes PE section rights) 17->63 65 Detected unpacking (overwrites its own PE header) 17->65 67 4 other signatures 17->67 22 ikapevowude.exe 2 14 17->22         started        27 conhost.exe 20->27         started        process11 dnsIp12 59 libertygiove.com 91.234.99.15, 80 PIHL-ASRU Netherlands 22->59 39 C:\Users\user\AppData\Local\...\tmp928A.tmp, PE32 22->39 dropped 41 C:\Users\user\AppData\Local\...\tmp925A.tmp, PE32 22->41 dropped 77 Injects code into the Windows Explorer (explorer.exe) 22->77 79 Overwrites Windows DLL code with PUSH RET codes 22->79 81 Overwrites code with function prologues 22->81 83 4 other signatures 22->83 29 UuyvUGXbSDauh.exe 2 2 22->29 injected 32 UuyvUGXbSDauh.exe 22->32 injected 34 UuyvUGXbSDauh.exe 22->34 injected 36 16 other processes 22->36 file13 signatures14 process15 dnsIp16 93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->93 95 Tries to steal Mail credentials (via file access) 29->95 97 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 29->97 103 2 other signatures 29->103 99 Overwrites Windows DLL code with PUSH RET codes 32->99 101 Overwrites code with function prologues 32->101 53 cdn.onenote.net 36->53 55 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 168.63.67.155, 443, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->55 57 192.168.2.1 unknown unknown 36->57 signatures17
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-29 05:33:07 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
NTFS ADS
Gathers network information
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Modifies Internet Explorer settings
Enumerates processes with tasklist
Gathers network information
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Loads dropped DLL
Modifies Windows Firewall
Executes dropped EXE
UPX packed file
Executes dropped EXE
Modifies Windows Firewall

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:Atmos_Malware
Author:xylitol@temari.fr
Description:Generic Spyware.Citadel.Atmos Signature
Reference:http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Rule name:Atmos_Packed_Malware
Author:xylitol@temari.fr
Description:Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer
Reference:http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Rule name:citadel13xy
Author:Jean-Philippe Teissier / @Jipe_
Description:Citadel 1.5.x.y trojan banker
Rule name:win_citadel_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZeuS

Executable exe b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments