MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7969b30d717867cea9427b87a822d59edd94600312599cf407d0d6ec35988ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: b7969b30d717867cea9427b87a822d59edd94600312599cf407d0d6ec35988ed
SHA3-384 hash: 119b45af8d5cf3d400dce37264db97355d4f65df102e2674e4c6a166d9dc10690588639e1dc4c03b18df8498892df218
SHA1 hash: 345864026b571328aa2deeb9c2fc62fa75e5e847
MD5 hash: 36bb5464092459c07fc4a5014304d072
humanhash: pizza-july-december-october
File name:sphinx_1.0.1.2.vir
Download: download sample
Signature ZeusSphinx
File size:1'528'133 bytes
First seen:2020-07-19 19:36:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f
ssdeep 24576:AwgiPl8pQUTNJx7xeTbM0IzEJWVdh3lZ/o79I349kWeR0HXm5xhjn6cgGc+6gSq:yiPlpSj7xoIwk/1s9I34wR0HX+btJqgB
TLSH 7F653351A59A9909C5E0E730BFB2C7D163F4DA902291888627D5FE779B78832CD83CD3
Reporter @tildedennis
Tags:sphinx ZeusSphinx


Twitter
@tildedennis
sphinx version 1.0.1.2

Intelligence


File Origin
# of uploads :
1
# of downloads :
18
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
ZeusVM
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247410 Sample: sphinx_1.0.1.2.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 83 Antivirus detection for dropped file 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 5 other signatures 2->89 11 sphinx_1.0.1.2.exe 23 2->11         started        process3 dnsIp4 73 1.0.1.2 CLOUDFLARENETUS China 11->73 65 C:\Users\user\AppData\Local\...\System.dll, PE32 11->65 dropped 111 Detected unpacking (changes PE section rights) 11->111 113 Detected unpacking (overwrites its own PE header) 11->113 115 Detected ZeusVM e-Banking Trojan 11->115 117 2 other signatures 11->117 16 sphinx_1.0.1.2.exe 5 11->16         started        file5 signatures6 process7 file8 57 C:\Users\user\AppData\Roaming\...\qoqu.exe, PE32 16->57 dropped 59 C:\Users\user\AppData\...\tmpd23ef3bb.bat, DOS 16->59 dropped 75 Injects code into the Windows Explorer (explorer.exe) 16->75 77 Writes to foreign memory regions 16->77 79 Allocates memory in foreign processes 16->79 81 Injects a PE file into a foreign processes 16->81 20 qoqu.exe 16 16->20         started        24 explorer.exe 5 16->24         started        27 cmd.exe 1 16->27         started        29 explorer.exe 1 16->29         started        signatures9 process10 dnsIp11 61 C:\Users\user\AppData\...\nourishments.dll, PE32 20->61 dropped 63 C:\Users\user\AppData\Local\...\System.dll, PE32 20->63 dropped 91 Antivirus detection for dropped file 20->91 93 Detected unpacking (changes PE section rights) 20->93 95 Detected unpacking (overwrites its own PE header) 20->95 97 Detected ZeusVM e-Banking Trojan 20->97 31 qoqu.exe 20->31         started        67 76.73.17.194, 9090 LUS-FIBER-LCGUS United States 24->67 69 208.83.223.34, 80 APPLIEDOPSUS United States 24->69 71 127.0.0.1 unknown unknown 24->71 99 System process connects to network (likely due to code injection or exploit) 24->99 34 conhost.exe 24->34         started        36 conhost.exe 27->36         started        38 conhost.exe 29->38         started        file12 signatures13 process14 signatures15 119 Injects code into the Windows Explorer (explorer.exe) 31->119 121 Writes to foreign memory regions 31->121 123 Allocates memory in foreign processes 31->123 125 2 other signatures 31->125 40 dIPFDDvScNQFsAlUlL.exe 2 2 31->40 injected 43 dIPFDDvScNQFsAlUlL.exe 31->43 injected 45 dIPFDDvScNQFsAlUlL.exe 31->45 injected 47 13 other processes 31->47 process16 signatures17 101 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->101 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->103 105 Tries to steal Mail credentials (via file access) 40->105 109 4 other signatures 40->109 49 explorer.exe 2 40->49         started        51 explorer.exe 1 40->51         started        107 Overwrites code with function prologues 43->107 process18 process19 53 conhost.exe 49->53         started        55 conhost.exe 51->55         started       
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2016-02-17 00:41:00 UTC
AV detection:
28 of 31 (90.32%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
NSIS installer
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments