MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZeuS


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279
SHA3-384 hash: 68050ecb3925cb5c2c0e8c9043f34a3923360e0f2bd217f6e4ce29202f43f65ca0e90e1e11c5f11930eb5e515f13c130
SHA1 hash: c492097baec0d9d5b3e903cd41915ab5e24a966f
MD5 hash: 0ee4f395dd071f169e95e34454bbf446
humanhash: purple-hotel-foxtrot-jig
File name:dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279
Download: download sample
Signature ZeuS
Create hunting rule
File size:100'352 bytes
First seen:2020-10-11 15:42:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb7a0bcea1310ce9cab0c52be206d0f1 (1 x ZeuS)
ssdeep 1536:QpR7CH048t7/CqvY4L01aeW2QF9+bQLsBql/Ajm5FBCaFk3k7PuhzDD:SR7CV8t2eLWay8IZqJpFBCwk3MPuhz
Threatray 68 similar samples on MalwareBazaar
TLSH 28A3E0E7795C09EFCAAD67347D321F07DFE09490119768182688DAC9CBCF68B84493E6
Reporter @tildedennis
Tags:ZeuS zeus 1


Twitter
@tildedennis
zeus 1 version 1.2.10.0

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'468
Origin country :
FR FR
Mail intelligence
Gathering data
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69838/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487728
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains VNC / remote desktop functionality (version string found)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2011-07-24 08:26:00 UTC
File Type:
PE (Exe)
AV detection:
43 of 48 (89.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/3vzcm4bb3fp6ukfnh6xwek2tkbku5sbx636qxkrwo4z4jgzmcj4q._file
Verdict:
malicious
Similar samples:
0ffba4bb2b66cfb49b830939afb3da083be681c78eafd0c34f895f106980f30e
ZeuS
334ff98908b85214d066418232804605967b4b8f71d20cfc11a32aeef187a25d
ZeuS
5c636aa59a3960bd98182fa2f3800453b4de5c758adbfb752e85e14ff52a24d3
ZeuS
61e1a726a2410e5844398cebe9081f0c564341498a929aab861435fdab5f8157
ZeuS
63ba84423a4d3c8728b3fab4588eed5145889b98c3d070a5dbfcbbed0be29e9f
ZeuS
8b5da3fc469190ecae7156e694ac61fdc4d23aa9f04e55e877c058a1e5e94b11
ZeuS
8b8f14e302a8255c8061e41c3b75dde29da2265bca709e670001da7e9b58b891
ZeuS
d3baf4f620bd6a65ad0bd17009869a496b7e660d97be21db920daedcf8f95868
ZeuS
da33ab6ea38ec6f285d82061991f014914fe718fe8516c04fa8dc38ea4ddcee2
ZeuS
f797a6431426ff04d0640dc3ae0aa4db3f0232d5d0cef3b7df9cd05da5d3acdb
ZeuS
+ 58 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/201011-pcqkcp1sba/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
245137d13b47adb5c2e60e5a6f69b18cc9942434f63814465dd808a43d77be0c
MD5 hash:
bc4e50c8b8c2f1d519ef8adea34baa0c
SHA1 hash:
9befef1c9a64aa7f895440693b6a95316849fc4d
Detections:
win_zeus_auto
Create hunting rule
Link:
https://www.unpac.me/results/296ef4df-73b8-4bfa-b154-c8e3dc3911ba/
SH256 hash:
dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279
MD5 hash:
0ee4f395dd071f169e95e34454bbf446
SHA1 hash:
c492097baec0d9d5b3e903cd41915ab5e24a966f
Link:
https://www.unpac.me/results/296ef4df-73b8-4bfa-b154-c8e3dc3911ba/
AV coverage:
81.82%
AV detections:
45 / 55
Link:
https://www.virustotal.com/gui/file/dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279/detection/f-dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279-1449587188
Threat name:
Zbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd72267021d95fea28ad3faf622b5350554ec837f6fd0baa367733c49b2c1279

YARA Signatures

MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:win_zeus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/zeus 1/
Cape
Cape
https://www.capesandbox.com/analysis/69838/

Comments