MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa5f5817b08add918117f89e06e53abea40fcda0ae3ae588622f9c1a73202cae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: fa5f5817b08add918117f89e06e53abea40fcda0ae3ae588622f9c1a73202cae
SHA3-384 hash: 767c1e047537fe22702f2ddb01490f5a0cd45a26c5ce614df141f1719a294f96af5ca94d63841e41a7daac39cac48c9b
SHA1 hash: ad9a1528b5dcf820f0790f8f2ffefa8839cd43a0
MD5 hash: f1478eb97a80b4dc8113447d52764527
humanhash: nineteen-nebraska-enemy-bravo
File name:vmzeus_3.3.2.0.vir
Download: download sample
Signature ZeuS
File size:253'952 bytes
First seen:2020-07-19 17:17:11 UTC
Last seen:2020-07-19 19:14:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d72953ecf1c4f8632ada5a77299dc7f
ssdeep 6144:1E7WvpZuXFrJRsmLVtf8d1zOIDYIz+Uf0oWyPp:YWvpZySmxtEdx7ZS+B
TLSH 4944D01231A1E8B1E0A61D342490A7957C7C7833226696C7FBD41FBBDAD43D2867A2C7
Reporter @tildedennis
Tags:vmzeus ZeuS


Twitter
@tildedennis
vmzeus version 3.3.2.0

Intelligence


File Origin
# of uploads :
2
# of downloads :
21
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZeusVM
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247223 Sample: vmzeus_3.3.2.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 3 other signatures 2->51 7 vmzeus_3.3.2.0.exe 2 2->7         started        process3 dnsIp4 41 3.3.2.0 AMAZON-02US United States 7->41 37 C:\Users\user\AppData\...\winMozilla.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\...\tmpa8313950.bat, DOS 7->39 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (overwrites its own PE header) 7->55 57 Detected ZeusVM e-Banking Trojan 7->57 59 5 other signatures 7->59 12 winMozilla.exe 1 12 7->12         started        16 cmd.exe 1 7->16         started        18 WerFault.exe 25 10 7->18         started        20 2 other processes 7->20 file5 signatures6 process7 dnsIp8 43 maximorong.biz 12->43 61 Antivirus detection for dropped file 12->61 63 Detected unpacking (changes PE section rights) 12->63 65 Detected unpacking (overwrites its own PE header) 12->65 67 8 other signatures 12->67 22 WerFault.exe 18 9 12->22         started        25 WerFault.exe 9 12->25         started        27 WerFault.exe 12->27         started        31 8 other processes 12->31 29 conhost.exe 16->29         started        signatures9 process10 file11 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->35 dropped
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-12-02 17:21:00 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Deletes itself
Identifies Wine through registry keys
Identifies Wine through registry keys
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments