MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f55d6bd5f13356eda64fae070a5eee1a080f06a0aa69bdd7e137496d88346be3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: f55d6bd5f13356eda64fae070a5eee1a080f06a0aa69bdd7e137496d88346be3
SHA3-384 hash: b93b74753ca60a402bebd0e6ef541abf2a6ae01b9b5eaa80fc689130e99bcdfde9cdc95cd367b56804e72a21579d7977
SHA1 hash: a72e76fbd5dfa53b3d27ed9d9e6d194a085d7d0e
MD5 hash: dc6b98b9707c0922ab6a53b3efdd5dac
humanhash: kansas-timing-arizona-single
File name:zeus 2_2.1.0.3.vir
Download: download sample
Signature ZeuS
File size:204'288 bytes
First seen:2020-07-19 16:47:24 UTC
Last seen:2020-07-19 19:11:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4d53465e89ec111b92611e5ac002a64
ssdeep 3072:hegn0/CPJCVJx55PUw9B/kRdOm+OiSTW+EJ2Fm5KEUxR4:heT6PJKJTkrOm+jl+E/Q8
TLSH BB14D028FDA4C0B3C40514BD4A79CAF2B629B9390774C8837BD81F67DFE22C19965296
Reporter @tildedennis
Tags:ZeuS zeus 2


Twitter
@tildedennis
zeus 2 version 2.1.0.3

Intelligence


File Origin
# of uploads :
3
# of downloads :
19
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247220 Sample: zeus 2_2.1.0.3.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 8 other signatures 2->63 7 zeus 2_2.1.0.3.exe 1 8 2->7         started        12 update.exe 2->12         started        14 setx.exe 1 1 2->14         started        16 update.exe 2->16         started        process3 dnsIp4 55 2.1.0.3 FranceTelecom-OrangeFR France 7->55 49 C:\Users\user\Desktop\new.exe, MS-DOS 7->49 dropped 51 C:\Users\user\AppData\Roaming\...\update.exe, MS-DOS 7->51 dropped 53 C:\ProgramData\Microsoft\...\update.exe, MS-DOS 7->53 dropped 75 Adds a new user with administrator rights 7->75 18 new.exe 7->18         started        21 cmd.exe 1 7->21         started        23 reg.exe 1 1 7->23         started        29 6 other processes 7->29 25 update.exe 12->25         started        27 conhost.exe 14->27         started        file5 signatures6 process7 signatures8 65 Antivirus detection for dropped file 18->65 67 Multi AV Scanner detection for dropped file 18->67 69 Machine Learning detection for dropped file 18->69 31 new.exe 18->31         started        71 Uses ping.exe to sleep 21->71 33 conhost.exe 21->33         started        35 PING.EXE 1 21->35         started        37 PING.EXE 1 21->37         started        47 3 other processes 21->47 73 Hides user accounts 23->73 39 net1.exe 1 29->39         started        41 net1.exe 1 29->41         started        43 net1.exe 1 29->43         started        45 net1.exe 1 29->45         started        process9
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2012-01-24 11:45:00 UTC
AV detection:
23 of 25 (92.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies Internet Explorer settings
NTFS ADS
Runs ping.exe
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies WinLogon
Adds Run key to start application
Adds Run key to start application
Modifies WinLogon
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Grants admin privileges
Grants admin privileges
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments