MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5a286e7a4f4fbdfa37f541dd0e7561038883a315139a4a7cf508f2490a81b76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZeuS


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5a286e7a4f4fbdfa37f541dd0e7561038883a315139a4a7cf508f2490a81b76
SHA3-384 hash: 50fe15d70f764a8a2a44a8d58cb444f98edc626028a13fe08740f6f4844b424604931bef61062a3e49c6747acffee375
SHA1 hash: 57f6137de4d980b048cc54735ad2f3147c2a2c4d
MD5 hash: 2d05e13b54081bb452dff68a0c1e709a
humanhash: fanta-two-spaghetti-idaho
File name:TTClub Bill Of Lading - MIQOTPE001591 - S200055333.scr
Download: download sample
Signature ZeuS
Create hunting rule
File size:845'312 bytes
First seen:2020-10-08 13:15:07 UTC
Last seen:2020-10-12 19:33:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 08b568ba8157e92f7412717386120665 (6 x Loki, 1 x NanoCore, 1 x RemcosRAT)
ssdeep 12288:VkE61gQORc0CmUCXvyaLc/oemqQtlCjiS8A/slGkjnfB4LSSQoNHyCpy3Re:afWW07vyf3m/SzVkjnO2SQ2uQ
Threatray 29 similar samples on MalwareBazaar
TLSH 7805AE22B2E15937C16736399C0B57FC9C3ABD50EE2879566BF4CC4C8F39681342A297
Reporter abuse_ch
Tags:Citadel scr ZeuS


Avatar
abuse_ch
Malspam distributing ZeuS:

HELO: mail.motonina.ga
Sending IP: 133.130.115.6
From: Melody Chen <admin@motonina.ga>
Subject: 10/08 FOB, TYN-CHI // S200055333 / TPE001591
Attachment: ISF 10+2 + Packing list.zip (contains "TTClub Bill Of Lading - MIQOTPE001591 - S200055333.scr")

ZeuS C2:
http://agiiysys.com/nipat/gate.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'588
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69263/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Setting browser functions hooks
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Launching cmd.exe command interpreter
Launching a process
Launching the process to change the firewall settings
Launching a service
Launching the process to interact with network services
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a browser process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485508
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Internet Explorer cookie cleaning (a user can no longer delete cookies)
Drops batch files with force delete cmd (self deletion)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites Windows DLL code with PUSH RET codes
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295306 Sample: TTClub Bill Of Lading - MIQ... Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 7 other signatures 2->62 9 TTClub Bill Of Lading - MIQOTPE001591 - S200055333.exe 2->9         started        process3 signatures4 72 Maps a DLL or memory area into another process 9->72 12 TTClub Bill Of Lading - MIQOTPE001591 - S200055333.exe 9 9->12         started        process5 file6 40 C:\Users\user\AppData\...\ypaptyumiv.exe, PE32 12->40 dropped 42 C:\Users\user\AppData\...\tmpd4fe2c1d.bat, DOS 12->42 dropped 44 C:\Users\user\AppData\Local\...\tmpB1DE.tmp, PE32 12->44 dropped 46 C:\Users\user\AppData\Local\...\tmpB122.tmp, PE32 12->46 dropped 86 Overwrites Windows DLL code with PUSH RET codes 12->86 88 Overwrites code with function prologues 12->88 90 Renames NTDLL to bypass HIPS 12->90 16 ypaptyumiv.exe 12->16         started        19 cmd.exe 1 12->19         started        signatures7 process8 signatures9 48 Antivirus detection for dropped file 16->48 50 Detected unpacking (changes PE section rights) 16->50 52 Detected unpacking (overwrites its own PE header) 16->52 54 3 other signatures 16->54 21 ypaptyumiv.exe 2 16->21         started        25 conhost.exe 19->25         started        process10 file11 36 C:\Users\user\AppData\Local\...\tmpC651.tmp, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\tmpC5B4.tmp, PE32 21->38 dropped 64 Injects code into the Windows Explorer (explorer.exe) 21->64 66 Overwrites Windows DLL code with PUSH RET codes 21->66 68 Overwrites code with function prologues 21->68 70 5 other signatures 21->70 27 njygrpQzekgKuGEes.exe 2 2 21->27 injected 30 njygrpQzekgKuGEes.exe 21->30 injected 32 sihost.exe 21->32 injected 34 13 other processes 21->34 signatures12 process13 signatures14 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->74 76 Tries to steal Mail credentials (via file access) 27->76 78 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 27->78 84 2 other signatures 27->84 80 Overwrites Windows DLL code with PUSH RET codes 30->80 82 Overwrites code with function prologues 30->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5a286e7a4f4fbdfa37f541dd0e7561038883a315139a4a7cf508f2490a81b76/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 07:25:15 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wrinz5e6t557i37kqo5bz2wca4iqorrke42jj6pkchsjefidn3a._file
Verdict:
malicious
Similar samples:
0e870ae38822a23ec2dbc955c7d749b44ffad06338feccf6b6427cc1d4ee228a
ZeuS
1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235
ZeuS
27b86c92d6a04f4074462098e1ea9c0142816b66667effecb36ccde317458166
ZeuS
2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c
ZeuS
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d
ZeuS
371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
ZeuS
76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487
ZeuS
b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
ZeuS
b68844095af181c139ed272cb04e830f803770518ad9dd78cb789e8f4571b4c3
ZeuS
fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d
ZeuS
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence evasion spyware discovery
Link:
https://tria.ge/reports/201008-llvap5jl2a/
Behaviour
Enumerates processes with tasklist
Gathers network information
Modifies Internet Explorer settings
NTFS ADS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Unpacked files
SH256 hash:
910dd60d398a504aa85c83e0f574489f52609762f28d0b2be13d838b627e8134
MD5 hash:
b4516e5fe64fd458414833a2185b1441
SHA1 hash:
81214eaa6e41d3cb59bf6feac2bc0b9bb7b5503a
Link:
https://www.unpac.me/results/5fabd3a7-cdd7-4c91-b20f-09db76044fe5/
SH256 hash:
f5a286e7a4f4fbdfa37f541dd0e7561038883a315139a4a7cf508f2490a81b76
MD5 hash:
2d05e13b54081bb452dff68a0c1e709a
SHA1 hash:
57f6137de4d980b048cc54735ad2f3147c2a2c4d
Link:
https://www.unpac.me/results/5fabd3a7-cdd7-4c91-b20f-09db76044fe5/
Malware family:
Atmos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5a286e7a4f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5a286e7a4f4fbdfa37f541dd0e7561038883a315139a4a7cf508f2490a81b76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Atmos_Malware
Create hunting rule
Author:xylitol@temari.fr
Description:Generic Spyware.Citadel.Atmos Signature
Reference:http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Rule name:Atmos_Packed_Malware
Create hunting rule
Author:xylitol@temari.fr
Description:Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer
Reference:http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Rule name:citadel13xy
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Citadel 1.5.x.y trojan banker
Rule name:win_citadel_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZeuS

zip 36c5d2ff323ef31d050a3cb5ec1b9f2cf1b5b03c9204d2ffbc2223ace8654063

ZeuS

Executable exe f5a286e7a4f4fbdfa37f541dd0e7561038883a315139a4a7cf508f2490a81b76

(this sample)

  
Dropped by
MD5 bcda33d4475675cc1b8cf5d1482a6ead
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69263/
  
Dropped by
SHA256 36c5d2ff323ef31d050a3cb5ec1b9f2cf1b5b03c9204d2ffbc2223ace8654063

Comments