MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfdb94b364a42302e1801a4c792b6ce161162e14c2d262eb799cfcf074dafcd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: cfdb94b364a42302e1801a4c792b6ce161162e14c2d262eb799cfcf074dafcd8
SHA3-384 hash: 302dcf5da6e1482acfe6615c42f2c0dabe6f3bf34453c86dbe531f7c072f9ad801888175fa2d2978b161dad743ae4c7b
SHA1 hash: e0207d1077ffd7751b9e9303d3bac943a7d90559
MD5 hash: 396e9651ad4114c7417f0b07baa74221
humanhash: spring-uranus-steak-india
File name:tasks_199.vir
Download: download sample
Signature ZeuS
File size:385'580 bytes
First seen:2020-07-19 17:15:18 UTC
Last seen:2020-07-19 19:13:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3edc2b7bc52c82aaa43a758f299fdf58
ssdeep 6144:64DoML/L+I+94SpxzDYe+5olZHggD61GBg/mfP9WxySJpLseqDIJY:XoMn+jz3+3QbX9WxySJpKj
TLSH 3384F253F148C974E47B9030EB5D94A64B773D3BC582985732C0BA9B78F1653A4B3A0B
Reporter @tildedennis
Tags:tasks ZeuS


Twitter
@tildedennis
tasks version 199

Intelligence


File Origin
# of uploads :
2
# of downloads :
25
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247198 Sample: tasks_199.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Machine Learning detection for sample 2->64 66 Drops executables to the windows directory (C:\Windows) and starts them 2->66 8 ceutoni.exe 4 14 2->8         started        12 tasks_199.exe 2 5 2->12         started        15 winsec32.exe 1 2->15         started        17 6 other processes 2->17 process3 dnsIp4 54 ww1.survey-smiles.com 8->54 56 survey-smiles.com 69.162.80.58, 49763, 49766, 80 LIMESTONENETWORKSUS United States 8->56 58 2 other IPs or domains 8->58 74 Antivirus detection for dropped file 8->74 76 Detected unpacking (changes PE section rights) 8->76 78 Detected unpacking (creates a PE file in dynamic memory) 8->78 90 7 other signatures 8->90 19 explorer.exe 4 8->19 injected 21 ceutoni.exe 2 48 8->21         started        42 C:\Windows\SysWOW64\winsec32.exe, PE32 12->42 dropped 44 C:\Users\user\AppData\Roaming\...\ceutoni.exe, PE32 12->44 dropped 46 C:\Users\user\AppData\...\tmp7a9d5064.bat, DOS 12->46 dropped 80 Detected unpacking (overwrites its own PE header) 12->80 82 Drops batch files with force delete cmd (self deletion) 12->82 84 Tries to detect virtualization through RDTSC time measurements 12->84 25 ceutoni.exe 12->25         started        27 cmd.exe 1 12->27         started        86 Machine Learning detection for dropped file 15->86 88 Monitors registry run keys for changes 17->88 29 WerFault.exe 17->29         started        file5 signatures6 process7 dnsIp8 31 ceutoni.exe 19->31         started        34 ceutoni.exe 19->34         started        36 ceutoni.exe 19->36         started        48 1618.wcitianka.com 198.54.112.216, 49737, 49738, 80 NAMECHEAP-NETUS United States 21->48 50 coolsearch37845.com 212.32.237.101, 49735, 49736, 49762 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 21->50 52 myrewardclub.net 91.224.58.27, 443, 49739, 49741 GRANSYGransysrohttpgransycomCZ Czech Republic 21->52 68 Overwrites Windows DLL code with PUSH RET codes 21->68 70 Overwrites code with function prologues 21->70 38 conhost.exe 27->38         started        72 Writes to foreign memory regions 29->72 signatures9 process10 signatures11 92 Overwrites Windows DLL code with PUSH RET codes 31->92 94 Overwrites code with function prologues 31->94 40 WerFault.exe 3 10 36->40         started        process12
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-04-30 20:10:00 UTC
AV detection:
21 of 25 (84.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Drops file in Windows directory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
JavaScript code in executable
Deletes itself
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments