MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZeuS


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67
SHA3-384 hash: 345e7538ebb7a1dc02a69d969b6c4018e37fbfd7b6612e8eb55e2e68dbac4c8d91280d32bebf8e5572b8c8fb27f1fba7
SHA1 hash: 28461e56f09813363ccc1fa686e48938afde7ec4
MD5 hash: 11b3ae60c845189bbec476f762476e69
humanhash: princess-arizona-yankee-neptune
File name:action_2.0.8.9.vir
Download: download sample
Signature ZeuS
Create hunting rule
File size:389'632 bytes
First seen:2020-07-19 16:47:17 UTC
Last seen:2020-07-19 19:11:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 739c6b0a9c9c9348d604f81247a19060 (1 x ZeuS)
ssdeep 6144:XxCmihMpJzS6uPXrqsbrIyuaE9gYQSw1oKWUm0R5i+OFebc/q0A/oae:tihKzcZwmEu9U4mw5FvbCfAo1
Threatray 101 similar samples on MalwareBazaar
TLSH ED84E0167F8AD023C0B1473C4D90D541FF9EF969A2991742FBAC316F89326C359B628B
Reporter tildedennis
Tags:action


Avatar
tildedennis
action version 2.0.8.9

Intelligence

File Origin
# of uploads :
3
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27886/
Detection(s):
SecuriteInfo.com.Trojan.Generic.23136443.20045.13817.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390019
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247186 Sample: action_2.0.8.9.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 5 other signatures 2->70 8 action_2.0.8.9.exe 3 6 2->8         started        13 ceow.exe 2->13         started        process3 dnsIp4 62 2.0.8.9 FranceTelecom-OrangeFR France 8->62 54 C:\Users\user\AppData\Roaming\...\ceow.exe, PE32 8->54 dropped 72 Detected unpacking (changes PE section rights) 8->72 74 Detected unpacking (overwrites its own PE header) 8->74 76 Creates autostart registry keys with suspicious names 8->76 86 3 other signatures 8->86 15 ceow.exe 8->15         started        18 cmd.exe 1 8->18         started        78 Writes to foreign memory regions 13->78 80 Allocates memory in foreign processes 13->80 82 Creates a thread in another existing process (thread injection) 13->82 84 Injects a PE file into a foreign processes 13->84 20 mstsc.exe 12 13 13->20         started        file5 signatures6 process7 dnsIp8 88 Antivirus detection for dropped file 15->88 90 Multi AV Scanner detection for dropped file 15->90 92 Detected unpacking (changes PE section rights) 15->92 100 8 other signatures 15->100 24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        28 cmd.exe 1 15->28         started        32 8 other processes 15->32 30 conhost.exe 18->30         started        56 specialnan.date 20->56 58 office365.bit 20->58 60 127.0.0.1 unknown unknown 20->60 52 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->52 dropped 94 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->94 96 Contains functionality to inject threads in other processes 20->96 98 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 20->98 102 4 other signatures 20->102 file9 signatures10 process11 process12 48 4 other processes 24->48 34 conhost.exe 26->34         started        36 sc.exe 1 26->36         started        38 conhost.exe 28->38         started        40 sc.exe 1 28->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        50 10 other processes 32->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67/
Threat name:
Win32.Trojan.Brsecmon
Create hunting rule
Status:
Malicious
First seen:
2018-10-18 16:59:17 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c
ZeuS
371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
ZeuS
668ec5b9759f0349cc79113c4d2bb62ebf2239de79532f97248b242df8608a3c
ZeuS
854cd8ed0a2fb46f52cf610b77191562496c88eafa088cd2980d9c21bc3e8aa1
ZeuS
a618654d80abab200243945d1fb26204acb5bcc6e145656b8fb7152d8ab6a52e
ZeuS
b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
ZeuS
b68844095af181c139ed272cb04e830f803770518ad9dd78cb789e8f4571b4c3
ZeuS
c0dfbb822dea47692a8ed0d266c518495f1a3efd3a4208fb5251bcdf08f18d42
ZeuS
c3f8265bfcc61ef328a8f776318d74e588873047f51e0dc8e445c1f6d4334f30
ZeuS
ca7b714d4501ec386efecaecdd0181d83de489321ddbd38da8efeb9925dc7bef
ZeuS
+ 91 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan ransomware bootkit persistence
Link:
https://tria.ge/reports/200719-z55hg5mj5j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Launches sc.exe
Launches sc.exe
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Stops running service(s)
Executes dropped EXE
Stops running service(s)
Modifies WinLogon to allow AutoLogon
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/action/
Cape
Cape
https://www.capesandbox.com/analysis/27886/

Comments