MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5cca74f5645553ecaad995c998b7f8fa9ad8d7bfa4c6119e4e2e2e7f0ab50cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VMZeuS

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	f5cca74f5645553ecaad995c998b7f8fa9ad8d7bfa4c6119e4e2e2e7f0ab50cf
SHA3-384 hash:	6f5f210a2eaceb5c34204bc08de8c6a14c8f6cf720b30c513285ca05a734a9570f6015fb49c79582097441e6af0c6cbc
SHA1 hash:	b38609c7038343b1087347844d49f3972c45c68b
MD5 hash:	e50adcdf1095ff2eaa9105f3ece34f7e
humanhash:	oven-equal-eighteen-sink
File name:	f5cca74f5645553ecaad995c998b7f8fa9ad8d7bfa4c6119e4e2e2e7f0ab50cf
Download:	download sample
Signature	VMZeuS Create hunting rule
File size:	1'191'069 bytes
First seen:	2021-08-30 06:25:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep	24576:vRmJkcoQricOIQxiZY1ia2N8opr8Z1fpjzmtwg2cftLWFs0D:kJZoQrbTFZY1ia+pgL5Axdtg5D
Threatray	364 similar samples on MalwareBazaar
TLSH	T12B45D022B595C075C1A22371DE3AF7FA56396D26C322D19733C83D277E701816B2AB63
dhash icon	2d415171494d4145 (1 x VMZeuS)
Reporter	JAMESWT_WT
Tags:	exe vmzeus

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f5cca74f5645553ecaad995c998b7f8fa9ad8d7bfa4c6119e4e2e2e7f0ab50cf

Verdict:

Suspicious activity

Analysis date:

2021-08-30 06:52:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/37675928-83f4-4fc4-97fc-267c2bd5ae33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/183563/

Detection(s):

SecuriteInfo.com.AutoIT-3.UNOFFICIAL

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.JS.EmbeddedEXE-5.UNOFFICIAL

SecuriteInfo.com.AutoIT-4.UNOFFICIAL

SecuriteInfo.com.AutoIT-86.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Malware family:

Zeus

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a89691d-875d-4fb3-be78-d2b41c4673ef

Result

Threat name:

ZeusVM Citadel

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/841305

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Contains VNC / remote desktop functionality (version string found)

Detected unpacking (changes PE section rights)

Detected ZeusVM e-Banking Trojan

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with function prologues

Overwrites Windows DLL code with PUSH RET codes

Uses Windows timers to delay execution

Yara detected Citadel

Behaviour

Behavior Graph:

Download SVG

Detection:

citadel

Link:

https://mwdb.cert.pl/sample/f5cca74f5645553ecaad995c998b7f8fa9ad8d7bfa4c6119e4e2e2e7f0ab50cf/

Threat name:

Win32.Trojan.Zeus

Status:

Malicious

First seen:

2021-08-16 13:17:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 46 (71.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6xgkot2wivkt5svntfojtc37r6u23dl37jggcgpe4lrop4flkdhq._file

Verdict:

malicious

VMZeuS

1a722652518e589be34613b12d419efee2235ff0b0a37556fbb9cda5eb27b1d2

VMZeuS

38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844

VMZeuS

3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1

VMZeuS

6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

VMZeuS

79d3666b7a0fa6f7497eb4675b1ca9c550f8cdbf932f4410f1b8feb8d1e31d49

VMZeuS

7cb4b3df2fb0058a2d8bd5ece903c1c3c6241f0e3b6e85d6c83454a795cde393

VMZeuS

b3f239159215935d46c660d48d64e6ba457c3d01b42eb400c993c82376d8eb30

VMZeuS

fe93d4797dcffea0d8a5bd8dae89f6012fe45fd730e640e18a264d42fa17945e

VMZeuS

+ 354 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210830-vsa272se6j/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

370f986e91165fe8c15ab1b95b587eb3f4d8cfe73ced235995185543cb8f04a1

MD5 hash:

43debddaa1b884229ab0fb0ad46c226f

SHA1 hash:

afd3ce369519b364d8c28a2ff0035dfe00ac1329

Detections:

win_citadel_auto

Link:

https://www.unpac.me/results/99507fe4-acbb-4ec7-95eb-e7fbf6189817/

SH256 hash:

f5cca74f5645553ecaad995c998b7f8fa9ad8d7bfa4c6119e4e2e2e7f0ab50cf

MD5 hash:

e50adcdf1095ff2eaa9105f3ece34f7e

SHA1 hash:

b38609c7038343b1087347844d49f3972c45c68b

Link:

https://www.unpac.me/results/99507fe4-acbb-4ec7-95eb-e7fbf6189817/

Malware family:

Citadel

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f5cca74f5645/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5cca74f5645553ecaad995c998b7f8fa9ad8d7bfa4c6119e4e2e2e7f0ab50cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/183563/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample